diff options
| author |   Chris PeBenito <chpebeni@linux.microsoft.com> | 2024-02-23 15:57:52 -0500 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:40:48 -0400 |
| commit | c9395d36bacb49d4f001f66b37e9287ca2c856e4 (patch) | |
| tree | 6057cc1cb70c1cb0968084ba7e9f8156e7d1a932 | |
| parent | Set the type on /etc/machine-info to net_conf_t so hostnamectl can manipulate... (diff) | |
| download | hardened-refpolicy-c9395d36bacb49d4f001f66b37e9287ca2c856e4.tar.gz hardened-refpolicy-c9395d36bacb49d4f001f66b37e9287ca2c856e4.tar.bz2 hardened-refpolicy-c9395d36bacb49d4f001f66b37e9287ca2c856e4.zip | |
uml: Remove excessive access from user domains on uml_exec_t.
The user domains were allowed to modify uml_exec_t files.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/apps/uml.if | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/policy/modules/apps/uml.if b/policy/modules/apps/uml.if index 60033cc40..b690cbdfb 100644 --- a/policy/modules/apps/uml.if +++ b/policy/modules/apps/uml.if @@ -45,8 +45,8 @@ template(`uml_role',` ps_process_pattern($3, uml_t) allow $3 uml_t:process { ptrace signal_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_exec_t }:dir { manage_dir_perms relabel_dir_perms }; - allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t uml_exec_t }:file { manage_file_perms relabel_file_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; + allow $2 { uml_ro_t uml_rw_t uml_tmp_t uml_tmpfs_t }:file { manage_file_perms relabel_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:lnk_file { manage_lnk_file_perms relabel_lnk_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:fifo_file { manage_fifo_file_perms relabel_fifo_file_perms }; allow $2 { uml_ro_t uml_rw_t uml_tmpfs_t }:sock_file { manage_sock_file_perms relabel_sock_file_perms }; |