| 1 |
commit: e312e5bdbbf8d7c76b13d94b02ad56372d6d8b37 |
| 2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
| 3 |
AuthorDate: Wed Feb 16 13:07:30 2022 +0000 |
| 4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
| 5 |
CommitDate: Sun Feb 27 02:13:17 2022 +0000 |
| 6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e312e5bd |
| 7 |
|
| 8 |
dontaudit net_admin without hide_broken_symptoms |
| 9 |
|
| 10 |
Sending this patch again without the ifdef, I agree that the ifdef isn't very |
| 11 |
useful nowadays. |
| 12 |
|
| 13 |
Signed-off-by: Russell Coker <russell <AT> coker.com.au> |
| 14 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
| 15 |
|
| 16 |
policy/modules/services/cron.te | 2 ++ |
| 17 |
policy/modules/services/dbus.te | 2 ++ |
| 18 |
policy/modules/services/policykit.te | 2 ++ |
| 19 |
policy/modules/services/postfix.te | 2 ++ |
| 20 |
4 files changed, 8 insertions(+) |
| 21 |
|
| 22 |
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te |
| 23 |
index 03268277..9ecbe4d6 100644 |
| 24 |
--- a/policy/modules/services/cron.te |
| 25 |
+++ b/policy/modules/services/cron.te |
| 26 |
@@ -209,6 +209,8 @@ tunable_policy(`fcron_crond',` |
| 27 |
# Daemon local policy |
| 28 |
# |
| 29 |
|
| 30 |
+# for changing buffer sizes |
| 31 |
+dontaudit crond_t self:capability net_admin; |
| 32 |
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; |
| 33 |
dontaudit crond_t self:capability { sys_resource sys_tty_config }; |
| 34 |
|
| 35 |
|
| 36 |
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te |
| 37 |
index c0b98558..9a1e6b30 100644 |
| 38 |
--- a/policy/modules/services/dbus.te |
| 39 |
+++ b/policy/modules/services/dbus.te |
| 40 |
@@ -67,6 +67,8 @@ ifdef(`enable_mls',` |
| 41 |
# Local policy |
| 42 |
# |
| 43 |
|
| 44 |
+# for changing buffer sizes |
| 45 |
+dontaudit system_dbusd_t self:capability net_admin; |
| 46 |
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; |
| 47 |
dontaudit system_dbusd_t self:capability sys_tty_config; |
| 48 |
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; |
| 49 |
|
| 50 |
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te |
| 51 |
index ee8f4c2d..46f5568f 100644 |
| 52 |
--- a/policy/modules/services/policykit.te |
| 53 |
+++ b/policy/modules/services/policykit.te |
| 54 |
@@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_domain) |
| 55 |
# Local policy |
| 56 |
# |
| 57 |
|
| 58 |
+# for changing buffer sizes |
| 59 |
+dontaudit policykit_t self:capability net_admin; |
| 60 |
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; |
| 61 |
allow policykit_t self:process { getsched setsched signal }; |
| 62 |
allow policykit_t self:unix_stream_socket { accept connectto listen }; |
| 63 |
|
| 64 |
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te |
| 65 |
index 6b97df10..6fe06887 100644 |
| 66 |
--- a/policy/modules/services/postfix.te |
| 67 |
+++ b/policy/modules/services/postfix.te |
| 68 |
@@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_t) |
| 69 |
# Common postfix domain local policy |
| 70 |
# |
| 71 |
|
| 72 |
+# for changing buffer sizes |
| 73 |
+dontaudit postfix_domain self:capability net_admin; |
| 74 |
allow postfix_domain self:capability { sys_chroot sys_nice }; |
| 75 |
dontaudit postfix_domain self:capability sys_tty_config; |
| 76 |
allow postfix_domain self:process { signal_perms setpgid setsched }; |
Archives