Update lldpad_t policy module

Label /run/lldpd/ as lldpad_var_run_t Dontaudit sys_admin capability for lldpad_t domain
fedora-selinux · Nov 7, 2019 · 6c7983a · 6c7983a
1 parent 89a037f
commit 6c7983a
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 0 deletions.
diff --git a/lldpad.fc b/lldpad.fc
@@ -12,4 +12,6 @@
 
 /var/run/lldpd.*	--      gen_context(system_u:object_r:lldpad_var_run_t,s0)
 
+/var/run/lldpd(/.*)?		gen_context(system_u:object_r:lldpad_var_run_t,s0)
+
 /dev/shm/lldpad.*	--	gen_context(system_u:object_r:lldpad_tmpfs_t,s0)
diff --git a/lldpad.te b/lldpad.te
@@ -26,6 +26,7 @@ systemd_mount_dir(lldpad_var_run_t)
 # Local policy
 #
 allow lldpad_t self:capability { chown dac_override fowner fsetid kill net_admin net_raw setgid setuid sys_chroot sys_resource };
+dontaudit lldpad_t self:capability { sys_admin };
 allow lldpad_t self:shm create_shm_perms;
 allow lldpad_t self:fifo_file rw_fifo_file_perms;
 allow lldpad_t self:unix_stream_socket { accept connectto listen };