1 |
commit: 70ca70457e34ca1d4a14d57bf953ef63eef324d2 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Thu Nov 2 17:30:47 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 5 06:38:35 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70ca7045 |
7 |
|
8 |
gssproxy: Allow others to stream connect |
9 |
|
10 |
kernel AVC: |
11 |
* Starting gssproxy ... |
12 |
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied) |
13 |
* start-stop-daemon: failed to start `gssproxy' |
14 |
|
15 |
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0 |
16 |
|
17 |
policy/modules/kernel/kernel.te | 4 ++++ |
18 |
policy/modules/roles/sysadm.te | 4 ++++ |
19 |
policy/modules/system/userdomain.if | 4 ++++ |
20 |
3 files changed, 12 insertions(+) |
21 |
|
22 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
23 |
index 5d8404de..432fa86e 100644 |
24 |
--- a/policy/modules/kernel/kernel.te |
25 |
+++ b/policy/modules/kernel/kernel.te |
26 |
@@ -423,6 +423,10 @@ optional_policy(` |
27 |
rpc_tcp_rw_nfs_sockets(kernel_t) |
28 |
rpc_udp_rw_nfs_sockets(kernel_t) |
29 |
|
30 |
+ optional_policy(` |
31 |
+ gssproxy_stream_connect(kernel_t) |
32 |
+ ') |
33 |
+ |
34 |
tunable_policy(`nfs_export_all_ro',` |
35 |
fs_getattr_noxattr_fs(kernel_t) |
36 |
fs_list_noxattr_fs(kernel_t) |
37 |
|
38 |
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te |
39 |
index 47179088..407ca87f 100644 |
40 |
--- a/policy/modules/roles/sysadm.te |
41 |
+++ b/policy/modules/roles/sysadm.te |
42 |
@@ -455,6 +455,10 @@ optional_policy(` |
43 |
') |
44 |
|
45 |
optional_policy(` |
46 |
+ gssproxy_admin(sysadm_t) |
47 |
+') |
48 |
+ |
49 |
+optional_policy(` |
50 |
hadoop_role(sysadm_r, sysadm_t) |
51 |
') |
52 |
|
53 |
|
54 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
55 |
index 178b5fb7..2f7afd72 100644 |
56 |
--- a/policy/modules/system/userdomain.if |
57 |
+++ b/policy/modules/system/userdomain.if |
58 |
@@ -686,6 +686,10 @@ template(`userdom_common_user_template',` |
59 |
') |
60 |
|
61 |
optional_policy(` |
62 |
+ gssproxy_stream_connect($1_t) |
63 |
+ ') |
64 |
+ |
65 |
+ optional_policy(` |
66 |
hwloc_exec_dhwd($1_t) |
67 |
hwloc_read_runtime_files($1_t) |
68 |
') |