[selinux-policy: 9/3172] hold off on improving
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 19:05:46 UTC 2010
commit 7f89c7efc67f03e7eff7acba9379f9d1ab463a5e
Author: Chris PeBenito <cpebenito at tresys.com>
Date: Tue Apr 19 13:46:06 2005 +0000
hold off on improving
refpolicy/policy/modules/kernel/kernel.te | 2 +-
refpolicy/policy/modules/system/init.te | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
---
diff --git a/refpolicy/policy/modules/kernel/kernel.te b/refpolicy/policy/modules/kernel/kernel.te
index ba189bf..9ad2232 100644
--- a/refpolicy/policy/modules/kernel/kernel.te
+++ b/refpolicy/policy/modules/kernel/kernel.te
@@ -11,7 +11,7 @@ terminal_use_console(kernel_t)
domain_signal_all_domains(kernel_t)
# Use capabilities. need to investigate which capabilities are actually used
-#allow kernel_t self:capability *;
+allow kernel_t self:capability *;
# Mount root file system. Used when loading a policy
# from initrd, then mounting the root filesystem
diff --git a/refpolicy/policy/modules/system/init.te b/refpolicy/policy/modules/system/init.te
index 7fec32b..a53af29 100644
--- a/refpolicy/policy/modules/system/init.te
+++ b/refpolicy/policy/modules/system/init.te
@@ -79,14 +79,13 @@ authlogin_modify_login_records(init_t)
logging_modify_system_logs(init_t)
# Use capabilities. old rule:
-#allow init_t self:capability ~sys_module;
+allow init_t self:capability ~sys_module;
# is ~sys_module really needed? observed:
# sys_boot
# sys_tty_config
# kill: now provided by domain_kill_all_domains()
# setuid (from /sbin/shutdown)
# sys_chroot (from /usr/bin/chroot): now provided by corecommands_chroot()
-allow init_t self:capability { sys_boot sys_tty_config setuid };
# Modify utmp.
allow init_t initrc_var_run_t:file { getattr read write setattr };
More information about the scm-commits
mailing list