代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/selinux-policy 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 033c1ffb7c25c218f35ac5053d7f3a482c7df6af Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 14 Jul 2022 10:30:12 +0200
Subject: [PATCH] Allow some domains use sd_notify()
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/033c1ffb7c25c218f35ac5053d7f3a482c7df6af
Conflict: NA
sd_notify() and a few similar systemd library functions may be called by
a service to notify the service manager about state changes. It can be
used to send arbitrary information. Most importantly, it can be used for
start-up completion notification.
With this commit, all types in the daemon and login_userdomain
attributes and unconfined_service_t can connect to init (PID 1) and
init can write back to the fifo_file created by the domain.
Resolves: rhbz#1903305
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/system/init.if | 21 +++++++++++++++++++++
policy/modules/system/init.te | 2 ++
policy/modules/system/unconfined.te | 2 ++
policy/modules/system/userdomain.te | 2 ++
4 files changed, 27 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 4b3bb59..c07649b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -3000,6 +3000,27 @@ interface(`init_rw_tcp_sockets',`
allow $1 init_t:tcp_socket { read write getattr };
')
+#######################################
+## <summary>
+## Use sd_notify
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_use_notify',`
+ gen_require(`
+ type init_t, init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, init_var_run_t, init_var_run_t, init_t)
+ allow $1 init_var_run_t:sock_file read_sock_file_perms;
+ allow init_t $1:fifo_file write_fifo_file_perms;
+')
+
########################################
## <summary>
## Get the system status information from init
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 073ce2c..e4bc96f 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -1335,6 +1335,8 @@ ifdef(`distro_suse',`
domain_dontaudit_use_interactive_fds(daemon)
+init_use_notify(daemon)
+
userdom_dontaudit_list_admin_dir(daemon)
userdom_dontaudit_search_user_tmp(daemon)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index ed03aad..4da1290 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -20,6 +20,8 @@ role unconfined_r types unconfined_service_t;
corecmd_bin_entry_type(unconfined_service_t)
corecmd_shell_entry_type(unconfined_service_t)
+init_use_notify(unconfined_service_t)
+
optional_policy(`
rpm_transition_script(unconfined_service_t, system_r)
')
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index 3ac8c12..0980247 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -400,6 +400,8 @@ files_watch_generic_tmp_dirs(login_userdomain)
fs_create_cgroup_files(login_userdomain)
fs_watch_cgroup_files(login_userdomain)
+init_use_notify(login_userdomain)
+
libs_watch_lib_dirs(login_userdomain)
miscfiles_watch_fonts_dirs(login_userdomain)
--
1.8.3.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手