Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/
Date: Mon, 27 Feb 2017 11:40:12
Message-Id: 1488191830.790a26f8e3601f0e6f0fc4e7a480ac7196b34567.perfinion@gentoo
1 commit: 790a26f8e3601f0e6f0fc4e7a480ac7196b34567
2 Author: cgzones <cgzones <AT> googlemail <DOT> com>
3 AuthorDate: Thu Jan 5 12:21:10 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Mon Feb 27 10:37:10 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=790a26f8
7
8 locallogin: adjustments
9
10 * do not grant permissions by negativ matching
11 * separate dbus from consolekit block for systemd
12
13 policy/modules/system/locallogin.te | 8 ++++----
14 1 file changed, 4 insertions(+), 4 deletions(-)
15
16 diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
17 index 174ba9f4..964239a4 100644
18 --- a/policy/modules/system/locallogin.te
19 +++ b/policy/modules/system/locallogin.te
20 @@ -33,8 +33,7 @@ role system_r types sulogin_t;
21 #
22
23 allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
24 -allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
25 -allow local_login_t self:process { setrlimit setexec };
26 +allow local_login_t self:process { setexec setrlimit setsched };
27 allow local_login_t self:fd use;
28 allow local_login_t self:fifo_file rw_fifo_file_perms;
29 allow local_login_t self:sock_file read_sock_file_perms;
30 @@ -171,7 +170,9 @@ optional_policy(`
31 optional_policy(`
32 dbus_system_bus_client(local_login_t)
33
34 - consolekit_dbus_chat(local_login_t)
35 + optional_policy(`
36 + consolekit_dbus_chat(local_login_t)
37 + ')
38 ')
39
40 optional_policy(`
41 @@ -211,7 +212,6 @@ optional_policy(`
42 #
43
44 allow sulogin_t self:capability dac_override;
45 -allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
46 allow sulogin_t self:fd use;
47 allow sulogin_t self:fifo_file rw_fifo_file_perms;
48 allow sulogin_t self:unix_dgram_socket create_socket_perms;
Report Message
Find on MARC Find on Google Groups