1 |
commit: 9771f955615ba799aa321147a1730dda60e99a00 |
2 |
Author: Adam Tkac <adam.tkac <AT> gooddata <DOT> com> |
3 |
AuthorDate: Tue Jun 21 13:08:33 2016 +0000 |
4 |
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Jul 3 11:32:26 2016 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9771f955 |
7 |
|
8 |
Grant certmonger "chown" capability |
9 |
|
10 |
After autorenewal of the certificate, "chown" capability is needed |
11 |
to change certificate user/group to daemon's user/group. |
12 |
|
13 |
policy/modules/contrib/certmonger.te | 2 +- |
14 |
1 file changed, 1 insertion(+), 1 deletion(-) |
15 |
|
16 |
diff --git a/policy/modules/contrib/certmonger.te b/policy/modules/contrib/certmonger.te |
17 |
index 7c3126e..034ffa3 100644 |
18 |
--- a/policy/modules/contrib/certmonger.te |
19 |
+++ b/policy/modules/contrib/certmonger.te |
20 |
@@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t) |
21 |
# Local policy |
22 |
# |
23 |
|
24 |
-allow certmonger_t self:capability { dac_override dac_read_search setgid setuid kill sys_nice }; |
25 |
+allow certmonger_t self:capability { chown dac_override dac_read_search setgid setuid kill sys_nice }; |
26 |
dontaudit certmonger_t self:capability sys_tty_config; |
27 |
allow certmonger_t self:capability2 block_suspend; |
28 |
allow certmonger_t self:process { getsched setsched sigkill signal }; |