From: Ralf Ertzinger <ralf@skytale.net>
Date: Thu, 30 May 2019 18:08:44 +0000 (+0000)
Subject: Call init_domain() in addition to init_daemon_domain(), this adds permissions needed... 
X-Git-Url: https://git.camperquake.de/gitweb.cgi?p=selinux.git;a=commitdiff_plain;h=2577bee7f5f259449d730493d2c21cd86d3fe2c0

Call init_domain() in addition to init_daemon_domain(), this adds permissions needed for systemd NoNewPrivileges
---

diff --git a/cod4/cod4.te b/cod4/cod4.te
index 43ff1c5..17885b6 100644
--- a/cod4/cod4.te
+++ b/cod4/cod4.te
@@ -1,4 +1,4 @@
-policy_module(cod4, 0.1.31)
+policy_module(cod4, 0.1.33)
 
 # File context for the executable process
 type cod4_t;
@@ -10,6 +10,7 @@ files_type(cod4_rw_t)
 type cod4_ro_t;
 files_type(cod4_ro_t)
 
+init_domain(cod4_t, cod4_exec_t)
 init_daemon_domain(cod4_t, cod4_exec_t)
 
 corenet_udp_sendrecv_generic_port(cod4_t)
diff --git a/q3a/q3a.te b/q3a/q3a.te
index d0c204d..4872be1 100644
--- a/q3a/q3a.te
+++ b/q3a/q3a.te
@@ -1,4 +1,4 @@
-policy_module(q3a, 0.1.24)
+policy_module(q3a, 0.1.25)
 
 # File context for the executable process
 type q3a_t;
@@ -12,6 +12,7 @@ files_type(q3a_ro_t)
 
 _sky_files_use_tmp(q3a_t, q3a_tmp_t)
 
+init_domain(q3a_t, q3a_exec_t)
 init_daemon_domain(q3a_t, q3a_exec_t)
 
 corenet_udp_sendrecv_generic_port(q3a_t)
diff --git a/quake2/quake2.te b/quake2/quake2.te
index 2e2eb6e..9f16e80 100644
--- a/quake2/quake2.te
+++ b/quake2/quake2.te
@@ -1,4 +1,4 @@
-policy_module(quake2, 0.1.10)
+policy_module(quake2, 0.1.11)
 
 # File context for the executable process
 type quake2_t;
@@ -12,6 +12,7 @@ files_type(quake2_ro_t)
 
 _sky_files_use_tmp(quake2_t, quake2_tmp_t)
 
+init_domain(quake2_t, quake2_exec_t)
 init_daemon_domain(quake2_t, quake2_exec_t)
 
 corenet_udp_sendrecv_generic_port(quake2_t)
diff --git a/tesseract/tesseract.te b/tesseract/tesseract.te
index 4539c19..9a7d54c 100644
--- a/tesseract/tesseract.te
+++ b/tesseract/tesseract.te
@@ -1,4 +1,4 @@
-policy_module(tesseract, 0.1.4)
+policy_module(tesseract, 0.1.5)
 
 # File context for the executable process
 type tesseract_t;
@@ -10,6 +10,7 @@ files_type(tesseract_rw_t)
 type tesseract_ro_t;
 files_type(tesseract_ro_t)
 
+init_domain(tesseract_t, tesseract_exec_t)
 init_daemon_domain(tesseract_t, tesseract_exec_t)
 
 corenet_udp_sendrecv_generic_port(tesseract_t)
diff --git a/tf2/tf2.te b/tf2/tf2.te
index bf69c5d..1ef83e4 100644
--- a/tf2/tf2.te
+++ b/tf2/tf2.te
@@ -1,4 +1,4 @@
-policy_module(tf2, 0.1.25)
+policy_module(tf2, 0.1.28)
 
 require {
     type default_t;
@@ -17,6 +17,7 @@ type tf2_ro_t;
 files_type(tf2_ro_t)
 
 
+init_domain(tf2_t, tf2_exec_t)
 init_daemon_domain(tf2_t, tf2_exec_t)
 
 allow tf2_t self:process { setsched signal signull };
@@ -56,3 +57,4 @@ kernel_read_network_state(tf2_t)
 dontaudit tf2_t default_t:dir read;
 
 allow init_t tf2_t:process { noatsecure };
+allow tf2_t self:process execmem;
diff --git a/ts3/ts3.te b/ts3/ts3.te
index 1700cf3..4afdf06 100644
--- a/ts3/ts3.te
+++ b/ts3/ts3.te
@@ -1,4 +1,4 @@
-policy_module(ts3, 0.1.28)
+policy_module(ts3, 0.1.29)
 
 # File context for the executable process
 type ts3_t;
@@ -10,6 +10,7 @@ files_type(ts3_rw_t)
 type ts3_ro_t;
 files_type(ts3_ro_t)
 
+init_domain(ts3_t, ts3_exec_t)
 init_daemon_domain(ts3_t, ts3_exec_t)
 
 corenet_udp_sendrecv_generic_port(ts3_t)
diff --git a/ut2004/ut2004.te b/ut2004/ut2004.te
index ccc10da..3f03e13 100644
--- a/ut2004/ut2004.te
+++ b/ut2004/ut2004.te
@@ -1,4 +1,4 @@
-policy_module(ut2004, 0.1.3)
+policy_module(ut2004, 0.1.4)
 
 require {
     type interwise_port_t;
@@ -14,6 +14,7 @@ files_type(ut2004_rw_t)
 type ut2004_ro_t;
 files_type(ut2004_ro_t)
 
+init_domain(ut2004_t, ut2004_exec_t)
 init_daemon_domain(ut2004_t, ut2004_exec_t)
 
 corenet_udp_sendrecv_generic_port(ut2004_t)