1 |
commit: e312e5bdbbf8d7c76b13d94b02ad56372d6d8b37 |
2 |
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> |
3 |
AuthorDate: Wed Feb 16 13:07:30 2022 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Feb 27 02:13:17 2022 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=e312e5bd |
7 |
|
8 |
dontaudit net_admin without hide_broken_symptoms |
9 |
|
10 |
Sending this patch again without the ifdef, I agree that the ifdef isn't very |
11 |
useful nowadays. |
12 |
|
13 |
Signed-off-by: Russell Coker <russell <AT> coker.com.au> |
14 |
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org> |
15 |
|
16 |
policy/modules/services/cron.te | 2 ++ |
17 |
policy/modules/services/dbus.te | 2 ++ |
18 |
policy/modules/services/policykit.te | 2 ++ |
19 |
policy/modules/services/postfix.te | 2 ++ |
20 |
4 files changed, 8 insertions(+) |
21 |
|
22 |
diff --git a/policy/modules/services/cron.te b/policy/modules/services/cron.te |
23 |
index 03268277..9ecbe4d6 100644 |
24 |
--- a/policy/modules/services/cron.te |
25 |
+++ b/policy/modules/services/cron.te |
26 |
@@ -209,6 +209,8 @@ tunable_policy(`fcron_crond',` |
27 |
# Daemon local policy |
28 |
# |
29 |
|
30 |
+# for changing buffer sizes |
31 |
+dontaudit crond_t self:capability net_admin; |
32 |
allow crond_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_nice }; |
33 |
dontaudit crond_t self:capability { sys_resource sys_tty_config }; |
34 |
|
35 |
|
36 |
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te |
37 |
index c0b98558..9a1e6b30 100644 |
38 |
--- a/policy/modules/services/dbus.te |
39 |
+++ b/policy/modules/services/dbus.te |
40 |
@@ -67,6 +67,8 @@ ifdef(`enable_mls',` |
41 |
# Local policy |
42 |
# |
43 |
|
44 |
+# for changing buffer sizes |
45 |
+dontaudit system_dbusd_t self:capability net_admin; |
46 |
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_resource }; |
47 |
dontaudit system_dbusd_t self:capability sys_tty_config; |
48 |
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; |
49 |
|
50 |
diff --git a/policy/modules/services/policykit.te b/policy/modules/services/policykit.te |
51 |
index ee8f4c2d..46f5568f 100644 |
52 |
--- a/policy/modules/services/policykit.te |
53 |
+++ b/policy/modules/services/policykit.te |
54 |
@@ -68,6 +68,8 @@ miscfiles_read_localization(policykit_domain) |
55 |
# Local policy |
56 |
# |
57 |
|
58 |
+# for changing buffer sizes |
59 |
+dontaudit policykit_t self:capability net_admin; |
60 |
allow policykit_t self:capability { dac_override dac_read_search setgid setuid sys_nice sys_ptrace }; |
61 |
allow policykit_t self:process { getsched setsched signal }; |
62 |
allow policykit_t self:unix_stream_socket { accept connectto listen }; |
63 |
|
64 |
diff --git a/policy/modules/services/postfix.te b/policy/modules/services/postfix.te |
65 |
index 6b97df10..6fe06887 100644 |
66 |
--- a/policy/modules/services/postfix.te |
67 |
+++ b/policy/modules/services/postfix.te |
68 |
@@ -107,6 +107,8 @@ mta_mailserver_delivery(postfix_virtual_t) |
69 |
# Common postfix domain local policy |
70 |
# |
71 |
|
72 |
+# for changing buffer sizes |
73 |
+dontaudit postfix_domain self:capability net_admin; |
74 |
allow postfix_domain self:capability { sys_chroot sys_nice }; |
75 |
dontaudit postfix_domain self:capability sys_tty_config; |
76 |
allow postfix_domain self:process { signal_perms setpgid setsched }; |