@@ -42,6 +42,7 @@ F: package/flutter-sdk-bin/
F: package/openssh/selinux/
F: package/polkit/selinux/
F: package/refpolicy/selinux/
+F: package/restorecond/selinux/
F: package/systemd/selinux/
F: package/sysvinit/selinux/
F: support/testing/tests/package/test_flutter.py
new file mode 100644
new file mode 100644
@@ -0,0 +1 @@
+## <summary>Buildroot restorecond rules</summary>
new file mode 100644
@@ -0,0 +1,13 @@
+policy_module(buildroot-restorecond, 1.0.0)
+
+#============= restorecond_t ==============
+allow restorecond_t device_t:chr_file { open read write };
+allow restorecond_t etc_t:dir watch;
+allow restorecond_t file_context_t:file { open read };
+allow restorecond_t selinux_config_t:file watch;
+allow restorecond_t tmpfs_t:dir { remove_name write watch };
+allow restorecond_t tmpfs_t:file { append getattr open lock read write unlink };
+allow restorecond_t user_home_dir_t:dir watch;
+allow restorecond_t var_log_t:dir watch;
+allow restorecond_t var_run_t:dir watch;
+allow restorecond_t var_t:dir watch;
This is a basic policy necessary for restorecond to work properly in enforcing mode without any denials. Signed-off-by: Adam Duskett <adam.duskett@amarulasolutions.com> --- DEVELOPERS | 1 + .../restorecond/selinux/buildroot-restorecond.fc | 0 .../restorecond/selinux/buildroot-restorecond.if | 1 + .../restorecond/selinux/buildroot-restorecond.te | 13 +++++++++++++ 4 files changed, 15 insertions(+) create mode 100644 package/restorecond/selinux/buildroot-restorecond.fc create mode 100644 package/restorecond/selinux/buildroot-restorecond.if create mode 100644 package/restorecond/selinux/buildroot-restorecond.te