commit: 5ee13c254c0451f054558a0f22da48377311c551 Author: Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com> AuthorDate: Tue Feb 1 14:27:06 2022 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Mon Feb 7 02:09:50 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=5ee13c25
domain: Allow lockdown for all domains. The checks for this class were removed in 5.16. This object class will be removed in the future. For more info: https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly Signed-off-by: Chris PeBenito <chpebeni <AT> linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> policy/modules/kernel/domain.te | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te index 00cea380..2eff1d34 100644 --- a/policy/modules/kernel/domain.te +++ b/policy/modules/kernel/domain.te @@ -103,6 +103,11 @@ kernel_dontaudit_link_key(domain) # create child processes in the domain allow domain self:process { fork sigchld }; +# lockdown checks were removed in 5.16. The class will be removed +# from the policy in the future. For reference: +# https://lore.kernel.org/selinux/163243191040.178880.4295195865966623164.stgit@olly +allow domain self:lockdown { integrity confidentiality }; + # glibc get_nprocs requires read access to /sys/devices/system/cpu/online dev_read_cpu_online(domain)
