blob: bf7b9801a35e74d6059d52c81eebef33743ec09a (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
refpolicy-minimum: systemd: mount: enable required refpolicy booleans
enable required refpolicy booleans for these modules
i. mount: allow_mount_anyfile
without enabling this boolean we are getting below avc denial
audit(): avc: denied { mounton } for pid=462 comm="mount" path="/run/media
/mmcblk2p1" dev="tmpfs" ino=11523 scontext=system_u:system_r:mount_t:s0
tcontext=system_u:object_r:initrc_var_run_t:s0 tclass=dir permissive=0
This avc can be allowed using the boolean 'allow_mount_anyfile'
allow mount_t initrc_var_run_t:dir mounton;
ii. systemd : systemd_tmpfiles_manage_all
without enabling this boolean we are not getting access to mount systemd
essential tmpfs during bootup, also not getting access to create audit.log
audit(): avc: denied { search } for pid=168 comm="systemd-tmpfile" name=
"sys" dev="proc" ino=4026531855 scontext=system_u:system_r:systemd_tmpfiles
_t:s0 tcontext=system_u:object_r:sysctl_t:s0 tclass=dir permissive=0
ls /var/log
/var/log -> volatile/log
:~#
Upstream-Status: Pending
Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
--- a/policy/booleans.conf
+++ b/policy/booleans.conf
@@ -1156,12 +1156,12 @@ racoon_read_shadow = false
#
# Allow the mount command to mount any directory or file.
#
-allow_mount_anyfile = false
+allow_mount_anyfile = true
#
# Enable support for systemd-tmpfiles to manage all non-security files.
#
-systemd_tmpfiles_manage_all = false
+systemd_tmpfiles_manage_all = true
#
# Allow users to connect to mysql
|
