diff options
| author |   Kenton Groombridge <me@concord.sh> | 2021-11-10 12:58:42 -0500 |
|---|---|---|
| committer |   Jason Zaman <perfinion@gentoo.org> | 2022-03-30 19:40:53 -0700 |
| commit | fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90 (patch) | |
| tree | 953beaadc6d50967ed0c6eda682a88b757ee8c9f /policy/modules/system/init.te | |
| parent | init: allow systemd to nnp_transition and nosuid_transition to daemon domains (diff) | |
| download | hardened-refpolicy-fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90.tar.gz hardened-refpolicy-fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90.tar.bz2 hardened-refpolicy-fc0dd40ee53f5a1d45ee160db2d3d1e6727bff90.zip | |
files, init: allow init to remount filesystems mounted on /boot
The context= mount option can be used to label, for example, a DOS
filesystem mounted on boot to be boot_t instead of dosfs_t. Explicitly
allow init (systemd) to remount boot_t filesystems so that options like
ProtectSystem=full work properly.
Signed-off-by: Kenton Groombridge <me@concord.sh>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Diffstat (limited to 'policy/modules/system/init.te')
| -rw-r--r-- | policy/modules/system/init.te | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 3f1c7d20..6e1baef9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -417,6 +417,7 @@ ifdef(`init_systemd',` files_mounton_tmp(init_t) files_manage_urandom_seed(init_t) files_read_boot_files(initrc_t) + files_remount_boot(init_t) files_relabel_all_lock_dirs(init_t) files_search_all(init_t) files_unmount_all_file_type_fs(init_t) |