diff mbox series

[03/12] package/sysvinit/selinux: Add buildroot sysvinit policy

Message ID 20231012103210.2915871-4-adam.duskett@amarulasolutions.com
State New
Headers show
Series SELinux: Basic config enforcing mode support. | expand

Commit Message

Adam Duskett Oct. 12, 2023, 10:32 a.m. UTC 
This policy is required to run systems with sysvinit in enforcing mode without
denials.

Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com>
---
 DEVELOPERS                                     | 1 +
 package/sysvinit/selinux/buildroot-sysvinit.fc | 0
 package/sysvinit/selinux/buildroot-sysvinit.if | 1 +
 package/sysvinit/selinux/buildroot-sysvinit.te | 8 ++++++++
 4 files changed, 10 insertions(+)
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.fc
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.if
 create mode 100644 package/sysvinit/selinux/buildroot-sysvinit.te
diff mbox series

Patch

diff --git a/DEVELOPERS b/DEVELOPERS
index c206f5262f..36108715bf 100644
--- a/DEVELOPERS
+++ b/DEVELOPERS
@@ -39,6 +39,7 @@  F:	package/flutter-gallery/
 F:	package/flutter-pi/
 F:	package/flutter-sdk-bin/
 F:	package/refpolicy/selinux/
+F:	package/sysvinit/selinux/
 F:	support/testing/tests/package/test_flutter.py
 
 N:	Adam Heinrich <adam@adamh.cz>
diff --git a/package/sysvinit/selinux/buildroot-sysvinit.fc b/package/sysvinit/selinux/buildroot-sysvinit.fc
new file mode 100644
index 0000000000..e69de29bb2
diff --git a/package/sysvinit/selinux/buildroot-sysvinit.if b/package/sysvinit/selinux/buildroot-sysvinit.if
new file mode 100644
index 0000000000..2b8195dfe3
--- /dev/null
+++ b/package/sysvinit/selinux/buildroot-sysvinit.if
@@ -0,0 +1 @@ 
+## <summary>Buildroot sysvinit rules</summary>
diff --git a/package/sysvinit/selinux/buildroot-sysvinit.te b/package/sysvinit/selinux/buildroot-sysvinit.te
new file mode 100644
index 0000000000..58c3e14580
--- /dev/null
+++ b/package/sysvinit/selinux/buildroot-sysvinit.te
@@ -0,0 +1,8 @@ 
+policy_module(buildroot-sysvinit, 1.0.0)
+
+#============= getty_t ==============
+allow getty_t tmpfs_t:dir { add_name write };
+allow getty_t tmpfs_t:file { create lock open read write };
+
+#============= local_login_t ==============
+allow local_login_t tmpfs_t:file { lock open read write };