Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Kenton Groombridge <concord@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date: Wed, 02 Nov 2022 14:42:59
Message-Id: 1667398042.22d7dd88e5e3463edc65c36b2262ab9a22746fd2.concord@gentoo
1 commit: 22d7dd88e5e3463edc65c36b2262ab9a22746fd2
2 Author: Yi Zhao <yi.zhao <AT> windriver <DOT> com>
3 AuthorDate: Fri Jul 3 02:32:41 2020 +0000
4 Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
5 CommitDate: Wed Nov 2 14:07:22 2022 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22d7dd88
7
8 radius: fixes for freeradius
9
10 * Add dac_read_search capability to radiusd_t
11 * Add getcap to radiusd_t process
12
13 Fixes:
14 avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2
15 scontext=system_u:system_r:radiusd_t
16 tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1
17
18 avc: denied { getcap } for pid=473 comm="radiusd"
19 scontext=system_u:system_r:radiusd_t
20 tcontext=system_u:system_r:radiusd_t tclass=process permissive=1
21
22 Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
23 Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
24
25 policy/modules/services/radius.te | 4 ++--
26 1 file changed, 2 insertions(+), 2 deletions(-)
27
28 diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te
29 index e5d37e722..8ac766c39 100644
30 --- a/policy/modules/services/radius.te
31 +++ b/policy/modules/services/radius.te
32 @@ -32,9 +32,9 @@ files_type(radiusd_var_lib_t)
33 # Local policy
34 #
35
36 -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config };
37 +allow radiusd_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config };
38 dontaudit radiusd_t self:capability sys_tty_config;
39 -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
40 +allow radiusd_t self:process { getcap getsched setrlimit setsched sigkill signal };
41 allow radiusd_t self:fifo_file rw_fifo_file_perms;
42 allow radiusd_t self:unix_stream_socket { accept listen };
43 allow radiusd_t self:tcp_socket { accept listen };
Report Message
Find on MARC Find on Google Groups