1 |
commit: a6f1a4be5244df25381bdc9d270765134f4d802b |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Wed Feb 16 16:04:33 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 27 02:13:17 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=a6f1a4be |
7 |
|
8 |
cron, dbus, policykit, postfix: Minor style fixes. |
9 |
|
10 |
No rule changes. |
11 |
|
12 |
Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org> |
13 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
14 |
|
15 |
policy/modules/services/cron.te | 4 ++-- |
16 |
policy/modules/services/dbus.te | 5 ++--- |
17 |
policy/modules/services/policykit.te | 2 +- |
18 |
policy/modules/services/postfix.te | 5 ++--- |
19 |
4 files changed, 7 insertions(+), 9 deletions(-) |
20 |
|
21 |
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te |
22 |
index 9ecbe4d6..b36fc709 100644 |
23 |
--- a/policy/modules/services/cron.te |
24 |
+++ b/policy/modules/services/cron.te |
25 |
@@ -209,10 +209,10 @@ tunable_policy(`fcron_crond',` |
26 |
# Daemon local policy |
27 |
# |
28 |
|
29 |
-# for changing buffer sizes |
30 |
dontaudit crond_t self:capability net_admin; |
31 |
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; |
32 |
-dontaudit crond_t self:capability { sys_resource sys_tty_config }; |
33 |
+# net_admin for changing buffer sizes |
34 |
+dontaudit crond_t self:capability { net_admin sys_resource sys_tty_config }; |
35 |
|
36 |
allow crond_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setexec setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; |
37 |
allow crond_t self:fd use; |
38 |
|
39 |
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te |
40 |
index 9a1e6b30..31fc905c 100644 |
41 |
--- a/policy/modules/services/dbus.te |
42 |
+++ b/policy/modules/services/dbus.te |
43 |
@@ -67,10 +67,9 @@ ifdef(`enable_mls',` |
44 |
# Local policy |
45 |
# |
46 |
|
47 |
-# for changing buffer sizes |
48 |
-dontaudit system_dbusd_t self:capability net_admin; |
49 |
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; |
50 |
-dontaudit system_dbusd_t self:capability sys_tty_config; |
51 |
+# net_admin for changing buffer sizes |
52 |
+dontaudit system_dbusd_t self:capability { net_admin sys_tty_config }; |
53 |
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; |
54 |
allow system_dbusd_t self:fifo_file rw_fifo_file_perms; |
55 |
allow system_dbusd_t self:dbus { send_msg acquire_svc }; |
56 |
|
57 |
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te |
58 |
index 46f5568f..197dc13c 100644 |
59 |
--- a/policy/modules/services/policykit.te |
60 |
+++ b/policy/modules/services/policykit.te |
61 |
@@ -68,9 +68,9 @@ miscfiles_read_localization(policykit_domain) |
62 |
# Local policy |
63 |
# |
64 |
|
65 |
+allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; |
66 |
# for changing buffer sizes |
67 |
dontaudit policykit_t self:capability net_admin; |
68 |
-allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; |
69 |
allow policykit_t self:process { getsched setsched signal }; |
70 |
allow policykit_t self:unix_stream_socket { accept connectto listen }; |
71 |
|
72 |
|
73 |
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te |
74 |
index 6fe06887..5c324bc7 100644 |
75 |
--- a/policy/modules/services/postfix.te |
76 |
+++ b/policy/modules/services/postfix.te |
77 |
@@ -107,10 +107,9 @@ mta_mailserver_delivery(postfix_virtual_t) |
78 |
# Common postfix domain local policy |
79 |
# |
80 |
|
81 |
-# for changing buffer sizes |
82 |
-dontaudit postfix_domain self:capability net_admin; |
83 |
allow postfix_domain self:capability { sys_chroot sys_nice }; |
84 |
-dontaudit postfix_domain self:capability sys_tty_config; |
85 |
+# net_admin for changing buffer sizes |
86 |
+dontaudit postfix_domain self:capability { net_admin sys_tty_config }; |
87 |
allow postfix_domain self:process { signal_perms setpgid setsched }; |
88 |
allow postfix_domain self:fifo_file rw_fifo_file_perms; |
89 |
allow postfix_domain self:unix_stream_socket { accept connectto listen }; |