Gentoo Archives: gentoo-commits

From: Jason Zaman <perfinion@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/kernel/, policy/modules/system/
Date: Thu, 25 May 2017 17:08:56
Message-Id: 1495731839.de8ad58a6a9103f443b733400d2f7980944bfcd0.perfinion@gentoo
1 commit: de8ad58a6a9103f443b733400d2f7980944bfcd0
2 Author: Jason Zaman <jason <AT> perfinion <DOT> com>
3 AuthorDate: Thu Mar 30 07:30:55 2017 +0000
4 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5 CommitDate: Thu May 25 17:03:59 2017 +0000
6 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de8ad58a
7
8 gssproxy: Allow others to stream connect
9
10 kernel AVC:
11 * Starting gssproxy ...
12 Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
13 * start-stop-daemon: failed to start `gssproxy'
14
15 type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
16
17 policy/modules/contrib/rpc.te | 3 +++
18 policy/modules/kernel/kernel.te | 4 ++++
19 policy/modules/system/userdomain.if | 4 ++++
20 3 files changed, 11 insertions(+)
21
22 diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
23 index a8a83400..c7855fef 100644
24 --- a/policy/modules/contrib/rpc.te
25 +++ b/policy/modules/contrib/rpc.te
26 @@ -339,6 +339,9 @@ optional_policy(`
27 ')
28
29 optional_policy(`
30 + gssproxy_stream_connect(gssd_t)
31 +')
32 +optional_policy(`
33 kerberos_manage_host_rcache(gssd_t)
34 kerberos_read_keytab(gssd_t)
35 kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
36
37 diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
38 index 685f3d0f..5877621b 100644
39 --- a/policy/modules/kernel/kernel.te
40 +++ b/policy/modules/kernel/kernel.te
41 @@ -423,6 +423,10 @@ optional_policy(`
42 rpc_tcp_rw_nfs_sockets(kernel_t)
43 rpc_udp_rw_nfs_sockets(kernel_t)
44
45 + optional_policy(`
46 + gssproxy_stream_connect(kernel_t)
47 + ')
48 +
49 tunable_policy(`nfs_export_all_ro',`
50 fs_getattr_noxattr_fs(kernel_t)
51 fs_list_noxattr_fs(kernel_t)
52
53 diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
54 index dbfb33da..55512c04 100644
55 --- a/policy/modules/system/userdomain.if
56 +++ b/policy/modules/system/userdomain.if
57 @@ -726,6 +726,10 @@ template(`userdom_common_user_template',`
58 ')
59
60 optional_policy(`
61 + gssproxy_stream_connect($1_t)
62 + ')
63 +
64 + optional_policy(`
65 hwloc_exec_dhwd($1_t)
66 hwloc_read_runtime_files($1_t)
67 ')