commit: 79c09b22f530dd92c44143533fb87991a3417169
Author: Kenton Groombridge <me <AT> concord <DOT> sh>
AuthorDate: Mon Mar 6 16:23:23 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 31 17:11:32 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c09b22
init: allow initrc_t to getcap
Many AVCs are observed on a systemd system and various services.
Signed-off-by: Kenton Groombridge <me <AT> concord.sh>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/system/init.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a2b0693b6..87d62741e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -699,7 +699,7 @@ optional_policy(`
# Init script local policy
#
-allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
+allow initrc_t self:process { getcap getpgid setsched setpgid setrlimit
getsched };
allow initrc_t self:capability { chown dac_override dac_read_search fowner
fsetid kill setgid setuid setpcap linux_immutable net_bind_service
net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot
sys_ptrace sys_pacct sys_boot sys_nice sys_resource sys_time sys_tty_config
mknod lease audit_write audit_control setfcap };
allow initrc_t self:capability2 { wake_alarm block_suspend };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
