1 |
commit: 790a26f8e3601f0e6f0fc4e7a480ac7196b34567 |
2 |
Author: cgzones <cgzones <AT> googlemail <DOT> com> |
3 |
AuthorDate: Thu Jan 5 12:21:10 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Mon Feb 27 10:37:10 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=790a26f8 |
7 |
|
8 |
locallogin: adjustments |
9 |
|
10 |
* do not grant permissions by negativ matching |
11 |
* separate dbus from consolekit block for systemd |
12 |
|
13 |
policy/modules/system/locallogin.te | 8 ++++---- |
14 |
1 file changed, 4 insertions(+), 4 deletions(-) |
15 |
|
16 |
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te |
17 |
index 174ba9f4..964239a4 100644 |
18 |
--- a/policy/modules/system/locallogin.te |
19 |
+++ b/policy/modules/system/locallogin.te |
20 |
@@ -33,8 +33,7 @@ role system_r types sulogin_t; |
21 |
# |
22 |
|
23 |
allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; |
24 |
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
25 |
-allow local_login_t self:process { setrlimit setexec }; |
26 |
+allow local_login_t self:process { setexec setrlimit setsched }; |
27 |
allow local_login_t self:fd use; |
28 |
allow local_login_t self:fifo_file rw_fifo_file_perms; |
29 |
allow local_login_t self:sock_file read_sock_file_perms; |
30 |
@@ -171,7 +170,9 @@ optional_policy(` |
31 |
optional_policy(` |
32 |
dbus_system_bus_client(local_login_t) |
33 |
|
34 |
- consolekit_dbus_chat(local_login_t) |
35 |
+ optional_policy(` |
36 |
+ consolekit_dbus_chat(local_login_t) |
37 |
+ ') |
38 |
') |
39 |
|
40 |
optional_policy(` |
41 |
@@ -211,7 +212,6 @@ optional_policy(` |
42 |
# |
43 |
|
44 |
allow sulogin_t self:capability dac_override; |
45 |
-allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; |
46 |
allow sulogin_t self:fd use; |
47 |
allow sulogin_t self:fifo_file rw_fifo_file_perms; |
48 |
allow sulogin_t self:unix_dgram_socket create_socket_perms; |