commit: 55f60d30e606f695662113f02acc45a78e3433a3 Author: Guido Trentalancia <guido <AT> trentalancia <DOT> net> AuthorDate: Mon Jan 2 21:11:32 2017 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Fri Jan 13 18:38:51 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=55f60d30
init: support sysvinit Add a permission needed for the correct functioning of sysvinit on systems using the initramfs. Without the selinux_get_fs_mount() interface call, the call to libselinux:is_selinux_enabled() fails and sysvinit tries to do the initial policy load again. Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net> policy/modules/system/init.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index bd97a7c..ce6f2f9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -162,6 +162,7 @@ files_exec_etc_files(init_t) files_dontaudit_rw_root_files(init_t) files_dontaudit_rw_root_chr_files(init_t) +fs_getattr_xattr_fs(init_t) fs_list_inotifyfs(init_t) # cjp: this may be related to /dev/log fs_write_ramfs_sockets(init_t) @@ -174,6 +175,10 @@ mls_file_write_all_levels(init_t) mls_process_write_all_levels(init_t) mls_fd_use_all_levels(init_t) +# the following one is needed for libselinux:is_selinux_enabled() +# otherwise the call fails and sysvinit tries to load the policy +# again when using the initramfs +selinux_get_fs_mount(init_t) selinux_set_all_booleans(init_t) term_use_all_terms(init_t)