[selinux-policy/f14/master: 3173/3230] bootloader: permission set.
Daniel J Walsh
dwalsh at fedoraproject.org
Tue Oct 12 20:13:59 UTC 2010
commit 23f4caad54b4fd1124310c1127150e5b75df833a
Author: Dominick Grift <domg472 at gmail.com>
Date: Mon Oct 4 20:23:17 2010 +0200
bootloader: permission set.
Signed-off-by: Dominick Grift <domg472 at gmail.com>
policy/modules/admin/bootloader.te | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
---
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index fee70d9..8ae18db 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -39,7 +39,7 @@ dev_node(bootloader_tmp_t)
#
allow bootloader_t self:capability { dac_override dac_read_search fsetid sys_rawio sys_admin mknod chown };
-allow bootloader_t self:process { sigkill sigstop signull signal execmem };
+allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
allow bootloader_t bootloader_etc_t:file read_file_perms;
@@ -153,7 +153,7 @@ ifdef(`distro_redhat',`
allow bootloader_t self:capability ipc_lock;
# new file system defaults to file_t, granting file_t access is still bad.
- allow bootloader_t boot_runtime_t:file { read_file_perms unlink };
+ allow bootloader_t boot_runtime_t:file { read_file_perms delete_file_perms };
# new file system defaults to file_t, granting file_t access is still bad.
files_manage_isid_type_dirs(bootloader_t)
More information about the scm-commits
mailing list