Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Sven Vermeulen <sven.vermeulen@××××××.be>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/
Date: Wed, 29 Aug 2012 18:48:32
Message-Id: 1346259435.314a4a68255302f3ea2782e985b3eb2d6c944dc1.SwifT@gentoo
1 commit: 314a4a68255302f3ea2782e985b3eb2d6c944dc1
2 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
3 AuthorDate: Wed Aug 29 16:57:15 2012 +0000
4 Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
5 CommitDate: Wed Aug 29 16:57:15 2012 +0000
6 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=314a4a68
7
8 Allow dbus system daemon to set its resource limits
9
10 The DBus daemon will try to set a good limit for its open file descriptors, but
11 will not fail (crash daemon) if the request fails. Still, the application is
12 meant to provide this functionality (cfr dbus/dbus-sysdeps-util-unix.c function
13 _dbus_request_file_descriptor_limit).
14
15 See also the inline comment there:
16
17 /* Also ignore errors; if we fail, we will at least work
18 * up to whatever limit we had, which seems better than
19 * just outright aborting.
20 *
21 * However, in the future we should probably log this so OS builders
22 * have a chance to notice any misconfiguration like dbus-daemon
23 * being started without CAP_SYS_RESOURCE.
24 */
25
26 ---
27 policy/modules/contrib/dbus.te | 2 +-
28 1 files changed, 1 insertions(+), 1 deletions(-)
29
30 diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te
31 index 05f2b89..192037d 100644
32 --- a/policy/modules/contrib/dbus.te
33 +++ b/policy/modules/contrib/dbus.te
34 @@ -54,7 +54,7 @@ ifdef(`enable_mls',`
35 # cjp: dac_override should probably go in a distro_debian
36 allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
37 dontaudit system_dbusd_t self:capability sys_tty_config;
38 -allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
39 +allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit };
40 allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
41 allow system_dbusd_t self:dbus { send_msg acquire_svc };
42 allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto };
Report Message
Find on MARC Find on Google Groups