1 |
commit: 22d7dd88e5e3463edc65c36b2262ab9a22746fd2 |
2 |
Author: Yi Zhao <yi.zhao <AT> windriver <DOT> com> |
3 |
AuthorDate: Fri Jul 3 02:32:41 2020 +0000 |
4 |
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org> |
5 |
CommitDate: Wed Nov 2 14:07:22 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22d7dd88 |
7 |
|
8 |
radius: fixes for freeradius |
9 |
|
10 |
* Add dac_read_search capability to radiusd_t |
11 |
* Add getcap to radiusd_t process |
12 |
|
13 |
Fixes: |
14 |
avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2 |
15 |
scontext=system_u:system_r:radiusd_t |
16 |
tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1 |
17 |
|
18 |
avc: denied { getcap } for pid=473 comm="radiusd" |
19 |
scontext=system_u:system_r:radiusd_t |
20 |
tcontext=system_u:system_r:radiusd_t tclass=process permissive=1 |
21 |
|
22 |
Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com> |
23 |
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org> |
24 |
|
25 |
policy/modules/services/radius.te | 4 ++-- |
26 |
1 file changed, 2 insertions(+), 2 deletions(-) |
27 |
|
28 |
diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te |
29 |
index e5d37e722..8ac766c39 100644 |
30 |
--- a/policy/modules/services/radius.te |
31 |
+++ b/policy/modules/services/radius.te |
32 |
@@ -32,9 +32,9 @@ files_type(radiusd_var_lib_t) |
33 |
# Local policy |
34 |
# |
35 |
|
36 |
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; |
37 |
+allow radiusd_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config }; |
38 |
dontaudit radiusd_t self:capability sys_tty_config; |
39 |
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; |
40 |
+allow radiusd_t self:process { getcap getsched setrlimit setsched sigkill signal }; |
41 |
allow radiusd_t self:fifo_file rw_fifo_file_perms; |
42 |
allow radiusd_t self:unix_stream_socket { accept listen }; |
43 |
allow radiusd_t self:tcp_socket { accept listen }; |