commit: 34127751552f504b35300a30876eda61b0f38733 Author: Kenton Groombridge <me <AT> concord <DOT> sh> AuthorDate: Tue Mar 7 00:15:24 2023 +0000 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> CommitDate: Fri Mar 31 17:11:32 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=34127751
init: allow initrc_t to create netlink_kobject_uevent_sockets Needed by rdma-rdd, which is automatically started by udev when an RDMA device with a node description is present. Signed-off-by: Kenton Groombridge <me <AT> concord.sh> Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> policy/modules/system/init.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 936b212eb..999721551 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -705,6 +705,7 @@ allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit getsched allow initrc_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; allow initrc_t self:capability2 { wake_alarm block_suspend }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this +allow initrc_t self:netlink_kobject_uevent_socket create_socket_perms; # needed by rdma-ndd allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms;