From 252e5cda0f1b1c6f9582dcb09e8d20a966c92284 Mon Sep 17 00:00:00 2001 From: Demi Marie Obenour Date: Sat, 29 Apr 2023 23:19:03 -0400 Subject: [PATCH] Xen hotplug scripts should be initrc_exec_t MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This makes them unconfined while ensuring that programs they spawn have the correct (possibly confined) contexts. Reported-by: Marek Marczykowski-Górecki Fixes: QubesOS/qubes-issues#8155 --- selinux/qubes-misc.fc | 1 + 1 file changed, 1 insertion(+) diff --git a/selinux/qubes-misc.fc b/selinux/qubes-misc.fc index 318c4990e..9c2e1c567 100644 --- a/selinux/qubes-misc.fc +++ b/selinux/qubes-misc.fc @@ -8,6 +8,7 @@ define(`slash_run',`dnl /usr/lib/qubes(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/qubes/init(/.*)? -d gen_context(system_u:object_r:etc_t,s0) /usr/lib/qubes/init(/.*)? -- gen_context(system_u:object_r:initrc_exec_t,s0) +/etc/xen/scripts/[!/]+ -- gen_context(system_u:object_r:initrc_exec_t,s0) /usr/lib/qubes/network-manager-prepare-conf-dir -- gen_context(system_u:object_r:bin_t,s0) slash_run(`qubes(/.*)?',`qubes_var_run') slash_run(`qubes-service',`initrc_var_run',`-d')