Allow init_t create lnk file

Bugfix: When the selinux mode is enforcing, libcare.socket cannot create symlink libcare.sock. This will cause the libcare.service to fail to start. Signed-off-by: imxcc <xingchaochao@huawei.com>
2021-09-08 11:47:53 +08:00 · 2021-09-08 11:47:53 +08:00 · 5ba3939722
commit 5ba3939722
parent 1b05c0f5f9
2 changed files with 36 additions and 2 deletions
--- a/0047-Allow-init_t-create-lnk-file.patch
+++ b/0047-Allow-init_t-create-lnk-file.patch
@ -0,0 +1,30 @@
+From 7782210333c3296b68f954b46284024701ec79e4 Mon Sep 17 00:00:00 2001
+From: imxcc <xingchaochao@huawei.com>
+Date: Wed, 8 Sep 2021 11:28:28 +0800
+Subject: [PATCH] Allow init_t create lnk file
+
+Bugfix: When the selinux mode is enforcing, libcare.socket cannot
+create symlink libcare.sock. This will cause the libcare.service
+to fail to start.
+
+Signed-off-by: imxcc <xingchaochao@huawei.com>
+---
+ dist/selinux/libcare.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/dist/selinux/libcare.te b/dist/selinux/libcare.te
+index c240875..936fc34 100644
+--- a/dist/selinux/libcare.te
+++ b/dist/selinux/libcare.te
+@@ -49,6 +49,8 @@ allow libcare_t libcare_file_t: file exec_file_perms;
+ allow libcare_t libcare_file_t: dir list_dir_perms;
+ allow libcare_t libcare_file_t: lnk_file read_lnk_file_perms;
+ 
+allow init_t var_run_t:lnk_file create;
+
+ # to read patient's /proc entries and be able to attach to it
+ allow libcare_t self: capability { dac_override dac_read_search sys_ptrace };
+ 
+-- 
+2.27.0
+
--- a/libcareplus.spec
+++ b/libcareplus.spec
@ -3,7 +3,7 @@
 Version: 0.1.4
 Name: libcareplus
 Summary: LibcarePlus tools
-Release: 6
+Release: 7
 Group: Applications/System
 License: GPLv2
 Url: https://gitee.com/openeuler/libcareplus
@ -56,6 +56,7 @@ Patch0044: 0043-kpatch_ptrace-Split-function-kpatch_arch_prctl_remot.patch
 Patch0045: 0044-kpatch_ptrace-Split-function-kpatch_syscall_remote.patch
 Patch0046: 0045-kpatch_ptrace-Split-function-wait_for_mmap.patch
 Patch0047: 0046-kpatch_ptrace-Split-function-kpatch_ptrace_kickstart.patch
+Patch0048: 0047-Allow-init_t-create-lnk-file.patch

 BuildRequires: elfutils-libelf-devel libunwind-devel gcc systemd

@ -211,7 +212,10 @@ exit 0
 %endif

 %changelog
-* Thu Sep 02 2021 imxcc <xingchaochao@huawei.com>  - 0.1.4.6
+* Wed Sep 08 2021 imxcc <xingchaochao@huawei.com> - 0.1.4.7
+- selinux: Allow init_t create lnk file
+
+* Thu Sep 02 2021 imxcc <xingchaochao@huawei.com> - 0.1.4.6
 - enable selinux

 * Sat Aug 21 2021 caodongxia <caodongxia@huawei.com> - 0.1.4-5