代码拉取完成,页面将自动刷新
Fork 仓库
加载中
确定同步?
同步操作将从 src-openEuler/selinux-policy 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
backport-sysnetwork.if-avoid-directly-referencing-systemd_res.patch
4.85 KB
luhuaxin
提交于
2021-05-31 16:38
.
backport some upstream patches
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145
From bc79683118e529a8325fd229840915efe30c3f48 Mon Sep 17 00:00:00 2001
From: Ondrej Mosnacek <omosnace@redhat.com>
Date: Mon, 3 Aug 2020 14:49:31 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/bc79683118e529a8325fd229840915efe30c3f48
Conflict: NA
Subject: [PATCH] sysnetwork.if: avoid directly referencing
systemd_resolved_var_run_t
Instead create a systemd_resolved_pid_filetrans() interface in
systemd.if and use that. Also used a unified interface for adding these
transitions in sysnet_filetrans_named_content() and directly in the
systemd module.
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
---
policy/modules/system/sysnetwork.if | 36 +++++++++++++++++++++++++++---------
policy/modules/system/systemd.if | 34 ++++++++++++++++++++++++++++++++++
policy/modules/system/systemd.te | 4 +---
3 files changed, 62 insertions(+), 12 deletions(-)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 10172d6..d7b696b 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -1127,6 +1127,29 @@ interface(`sysnet_role_transition_dhcpc',`
########################################
## <summary>
+## Set up filename transitions for systemd-resolved network
+## configuration content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_filetrans_systemd_resolved',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ optional_policy(`
+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ systemd_resolved_pid_filetrans($1, net_conf_t, file, "stub-resolv.conf")
+ ')
+')
+
+########################################
+## <summary>
## Transition to sysnet named content
## </summary>
## <param name="domain">
@@ -1138,7 +1161,6 @@ interface(`sysnet_role_transition_dhcpc',`
interface(`sysnet_filetrans_named_content',`
gen_require(`
type net_conf_t;
- type systemd_resolved_var_run_t;
')
files_etc_filetrans($1, net_conf_t, file, "resolv.conf")
@@ -1160,15 +1182,11 @@ interface(`sysnet_filetrans_named_content',`
init_pid_filetrans($1, net_conf_t, dir, "network")
optional_policy(`
- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
- networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
- ')
+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf")
+ networkmanager_pid_filetrans($1, net_conf_t, file, "resolv.conf.tmp")
+ ')
- optional_policy(`
- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf")
- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
- sysnet_filetrans_config_fromdir($1,systemd_resolved_var_run_t, file, "stub-resolv.conf")
- ')
+ sysnet_filetrans_systemd_resolved($1)
')
########################################
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 26d4927..d10ae16 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -335,6 +335,40 @@ interface(`systemd_resolved_write_pid_sock_files',`
write_sock_files_pattern($1, systemd_resolved_var_run_t, systemd_resolved_var_run_t)
')
+########################################
+## <summary>
+## Create objects in /var/run/systemd/resolve with a private
+## type using a type_transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## Private file type.
+## </summary>
+## </param>
+## <param name="class">
+## <summary>
+## Object classes to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`systemd_resolved_pid_filetrans',`
+ gen_require(`
+ type systemd_resolved_var_run_t;
+ ')
+
+ filetrans_pattern($1, systemd_resolved_var_run_t, $2, $3, $4)
+')
+
######################################
## <summary>
## Read systemd_login PID files.
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 332d716..c806b29 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1071,9 +1071,7 @@ dev_write_kmsg(systemd_resolved_t)
dev_read_sysfs(systemd_resolved_t)
sysnet_manage_config(systemd_resolved_t)
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf")
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "stub-resolv.conf")
-sysnet_filetrans_config_fromdir(systemd_resolved_t,systemd_resolved_var_run_t, file, "resolv.conf.tmp")
+sysnet_filetrans_systemd_resolved(systemd_resolved_t)
systemd_read_efivarfs(systemd_resolved_t)
--
1.8.3.1
举报
请认真填写举报原因,尽可能描述详细。
请选择举报类型
误判申诉
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化