1 |
commit: 314a4a68255302f3ea2782e985b3eb2d6c944dc1 |
2 |
Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
3 |
AuthorDate: Wed Aug 29 16:57:15 2012 +0000 |
4 |
Commit: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> |
5 |
CommitDate: Wed Aug 29 16:57:15 2012 +0000 |
6 |
URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=314a4a68 |
7 |
|
8 |
Allow dbus system daemon to set its resource limits |
9 |
|
10 |
The DBus daemon will try to set a good limit for its open file descriptors, but |
11 |
will not fail (crash daemon) if the request fails. Still, the application is |
12 |
meant to provide this functionality (cfr dbus/dbus-sysdeps-util-unix.c function |
13 |
_dbus_request_file_descriptor_limit). |
14 |
|
15 |
See also the inline comment there: |
16 |
|
17 |
/* Also ignore errors; if we fail, we will at least work |
18 |
* up to whatever limit we had, which seems better than |
19 |
* just outright aborting. |
20 |
* |
21 |
* However, in the future we should probably log this so OS builders |
22 |
* have a chance to notice any misconfiguration like dbus-daemon |
23 |
* being started without CAP_SYS_RESOURCE. |
24 |
*/ |
25 |
|
26 |
--- |
27 |
policy/modules/contrib/dbus.te | 2 +- |
28 |
1 files changed, 1 insertions(+), 1 deletions(-) |
29 |
|
30 |
diff --git a/policy/modules/contrib/dbus.te b/policy/modules/contrib/dbus.te |
31 |
index 05f2b89..192037d 100644 |
32 |
--- a/policy/modules/contrib/dbus.te |
33 |
+++ b/policy/modules/contrib/dbus.te |
34 |
@@ -54,7 +54,7 @@ ifdef(`enable_mls',` |
35 |
# cjp: dac_override should probably go in a distro_debian |
36 |
allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; |
37 |
dontaudit system_dbusd_t self:capability sys_tty_config; |
38 |
-allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap }; |
39 |
+allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap setrlimit }; |
40 |
allow system_dbusd_t self:fifo_file rw_fifo_file_perms; |
41 |
allow system_dbusd_t self:dbus { send_msg acquire_svc }; |
42 |
allow system_dbusd_t self:unix_stream_socket { connectto create_stream_socket_perms connectto }; |