Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/, policy/modules/kernel/
Date: Sun, 05 Nov 2017 08:01:45
Message-Id: 1509863915.70ca70457e34ca1d4a14d57bf953ef63eef324d2.perfinion@gentoo
1 commit: 70ca70457e34ca1d4a14d57bf953ef63eef324d2
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Thu Nov 2 17:30:47 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Nov 5 06:38:35 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70ca7045
7
8 gssproxy: Allow others to stream connect
9
10 kernel AVC:
11 * Starting gssproxy ...
12 Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
13 * start-stop-daemon: failed to start `gssproxy'
14
15 type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
16
17 policy/modules/kernel/kernel.te | 4 ++++
18 policy/modules/roles/sysadm.te | 4 ++++
19 policy/modules/system/userdomain.if | 4 ++++
20 3 files changed, 12 insertions(+)
21
22 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
23 index 5d8404de..432fa86e 100644
24 --- a/policy/modules/kernel/kernel.te
25 +++ b/policy/modules/kernel/kernel.te
26 @@ -423,6 +423,10 @@ optional_policy(`
27 rpc_tcp_rw_nfs_sockets(kernel_t)
28 rpc_udp_rw_nfs_sockets(kernel_t)
29
30 + optional_policy(`
31 + gssproxy_stream_connect(kernel_t)
32 + ')
33 +
34 tunable_policy(`nfs_export_all_ro',`
35 fs_getattr_noxattr_fs(kernel_t)
36 fs_list_noxattr_fs(kernel_t)
37
38 diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
39 index 47179088..407ca87f 100644
40 --- a/policy/modules/roles/sysadm.te
41 +++ b/policy/modules/roles/sysadm.te
42 @@ -455,6 +455,10 @@ optional_policy(`
43 ')
44
45 optional_policy(`
46 + gssproxy_admin(sysadm_t)
47 +')
48 +
49 +optional_policy(`
50 hadoop_role(sysadm_r, sysadm_t)
51 ')
52
53
54 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
55 index 178b5fb7..2f7afd72 100644
56 --- a/policy/modules/system/userdomain.if
57 +++ b/policy/modules/system/userdomain.if
58 @@ -686,6 +686,10 @@ template(`userdom_common_user_template',`
59 ')
60
61 optional_policy(`
62 + gssproxy_stream_connect($1_t)
63 + ')
64 +
65 + optional_policy(`
66 hwloc_exec_dhwd($1_t)
67 hwloc_read_runtime_files($1_t)
68 ')
Report Message
Find on MARC Find on Google Groups