fixup! sepolicy: Allow fsck_untrusted to be sys_admin
This commit is contained in:
parent
caa5a8a29e
commit
52542bfa6a
2 changed files with 2 additions and 2 deletions
|
|
@ -51,7 +51,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
|
||||||
# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
|
# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
|
||||||
# permissions, that is a code mistake that needs to be fixed, not a permission that
|
# permissions, that is a code mistake that needs to be fixed, not a permission that
|
||||||
# should be granted. Same with setgid and setuid.
|
# should be granted. Same with setgid and setuid.
|
||||||
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };
|
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
|
||||||
|
|
||||||
###
|
###
|
||||||
### dontaudit rules
|
### dontaudit rules
|
||||||
|
|
|
||||||
|
|
@ -50,7 +50,7 @@ neverallow fsck_untrusted { file_type fs_type -fsck_exec }:file entrypoint;
|
||||||
# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
|
# fsck_untrusted should never have sys_admin permissions. If it requires sys_admin
|
||||||
# permissions, that is a code mistake that needs to be fixed, not a permission that
|
# permissions, that is a code mistake that needs to be fixed, not a permission that
|
||||||
# should be granted. Same with setgid and setuid.
|
# should be granted. Same with setgid and setuid.
|
||||||
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid sys_admin };
|
neverallow fsck_untrusted self:global_capability_class_set { setgid setuid };
|
||||||
|
|
||||||
###
|
###
|
||||||
### dontaudit rules
|
### dontaudit rules
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue