diff --git a/domain.te b/domain.te index 45569de4cb40901bc52014f01254e6d763a1a5bb..023eac303feef62816f10641d9e737b8c4c4c331 100644 --- a/domain.te +++ b/domain.te @@ -243,7 +243,7 @@ neverallow * kmem_device:chr_file ~{ create relabelto unlink setattr }; # Only init should be able to configure kernel usermodehelpers or # security-sensitive proc settings. neverallow { domain -init } usermodehelper:file { append write }; -neverallow { domain -init } proc_security:file { append write }; +neverallow { domain -init } proc_security:file { append open read write }; # No domain should be allowed to ptrace init. neverallow * init:process ptrace; diff --git a/genfs_contexts b/genfs_contexts index 31794a1e834096abc55a76c71a647ba187a826e3..965d3f05e8f03b0e60d4f5915406c1a97b406619 100644 --- a/genfs_contexts +++ b/genfs_contexts @@ -22,6 +22,8 @@ genfscon proc /sys/kernel/randomize_va_space u:object_r:proc_security:s0 genfscon proc /sys/kernel/usermodehelper u:object_r:usermodehelper:s0 genfscon proc /sys/net u:object_r:proc_net:s0 genfscon proc /sys/vm/mmap_min_addr u:object_r:proc_security:s0 +genfscon proc /sys/vm/mmap_rnd_bits u:object_r:proc_security:s0 +genfscon proc /sys/vm/mmap_rnd_compat_bits u:object_r:proc_security:s0 genfscon proc /sys/vm/drop_caches u:object_r:proc_drop_caches:s0 genfscon proc /uid_cputime/show_uid_stat u:object_r:proc_uid_cputime_showstat:s0 genfscon proc /uid_cputime/remove_uid_range u:object_r:proc_uid_cputime_removeuid:s0