1 |
commit: c988737ef7f93819a734d799b1b36e4eb5e3f0ee |
2 |
Author: Amadeusz Sławiński <amade <AT> asmblr <DOT> net> |
3 |
AuthorDate: Tue Oct 17 21:25:45 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Oct 29 13:57:28 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c988737e |
7 |
|
8 |
allow dac_read_search along with dac_override |
9 |
|
10 |
newer kernels check dac_read_search first and then for more permissions |
11 |
which are allowed by dac_override |
12 |
|
13 |
Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net> |
14 |
|
15 |
policy/modules/contrib/portage.if | 2 +- |
16 |
1 file changed, 1 insertion(+), 1 deletion(-) |
17 |
|
18 |
diff --git a/policy/modules/contrib/portage.if b/policy/modules/contrib/portage.if |
19 |
index 637b0d0d..a81a4d0d 100644 |
20 |
--- a/policy/modules/contrib/portage.if |
21 |
+++ b/policy/modules/contrib/portage.if |
22 |
@@ -72,7 +72,7 @@ interface(`portage_compile_domain',` |
23 |
type portage_tmp_t, portage_tmpfs_t; |
24 |
') |
25 |
|
26 |
- allow $1 self:capability { chown dac_override fowner fsetid mknod net_raw setgid setuid }; |
27 |
+ allow $1 self:capability { chown dac_override dac_read_search fowner fsetid mknod net_raw setgid setuid }; |
28 |
dontaudit $1 self:capability sys_chroot; |
29 |
allow $1 self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; |
30 |
allow $1 self:fd use; |