Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/system/, policy/modules/kernel/
Date: Sun, 30 Apr 2017 09:41:00
Message-Id: 1493544711.418b4e8cafc67cf484c670c3267331fd365af0cb.perfinion@gentoo
1 commit: 418b4e8cafc67cf484c670c3267331fd365af0cb
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Thu Mar 30 07:30:55 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Sun Apr 30 09:31:51 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=418b4e8c
7
8 gssproxy: Allow others to stream connect
9
10 kernel AVC:
11 * Starting gssproxy ...
12 Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
13 * start-stop-daemon: failed to start `gssproxy'
14
15 type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
16
17 policy/modules/contrib/rpc.te | 3 +++
18 policy/modules/kernel/kernel.te | 4 ++++
19 policy/modules/system/userdomain.if | 4 ++++
20 3 files changed, 11 insertions(+)
21
22 diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
23 index 0b9a71fc..5dd5d781 100644
24 --- a/policy/modules/contrib/rpc.te
25 +++ b/policy/modules/contrib/rpc.te
26 @@ -339,6 +339,9 @@ optional_policy(`
27 ')
28
29 optional_policy(`
30 + gssproxy_stream_connect(gssd_t)
31 +')
32 +optional_policy(`
33 kerberos_manage_host_rcache(gssd_t)
34 kerberos_read_keytab(gssd_t)
35 kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
36
37 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
38 index 639b8454..f6b2a22b 100644
39 --- a/policy/modules/kernel/kernel.te
40 +++ b/policy/modules/kernel/kernel.te
41 @@ -416,6 +416,10 @@ optional_policy(`
42 rpc_tcp_rw_nfs_sockets(kernel_t)
43 rpc_udp_rw_nfs_sockets(kernel_t)
44
45 + optional_policy(`
46 + gssproxy_stream_connect(kernel_t)
47 + ')
48 +
49 tunable_policy(`nfs_export_all_ro',`
50 fs_getattr_noxattr_fs(kernel_t)
51 fs_list_noxattr_fs(kernel_t)
52
53 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
54 index dbfb33da..55512c04 100644
55 --- a/policy/modules/system/userdomain.if
56 +++ b/policy/modules/system/userdomain.if
57 @@ -726,6 +726,10 @@ template(`userdom_common_user_template',`
58 ')
59
60 optional_policy(`
61 + gssproxy_stream_connect($1_t)
62 + ')
63 +
64 + optional_policy(`
65 hwloc_exec_dhwd($1_t)
66 hwloc_read_runtime_files($1_t)
67 ')
Report Message
Find on MARC Find on Google Groups