1 |
commit: de8ad58a6a9103f443b733400d2f7980944bfcd0 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Thu Mar 30 07:30:55 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu May 25 17:03:59 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de8ad58a |
7 |
|
8 |
gssproxy: Allow others to stream connect |
9 |
|
10 |
kernel AVC: |
11 |
* Starting gssproxy ... |
12 |
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied) |
13 |
* start-stop-daemon: failed to start `gssproxy' |
14 |
|
15 |
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0 |
16 |
|
17 |
policy/modules/contrib/rpc.te | 3 +++ |
18 |
policy/modules/kernel/kernel.te | 4 ++++ |
19 |
policy/modules/system/userdomain.if | 4 ++++ |
20 |
3 files changed, 11 insertions(+) |
21 |
|
22 |
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te |
23 |
index a8a83400..c7855fef 100644 |
24 |
--- a/policy/modules/contrib/rpc.te |
25 |
+++ b/policy/modules/contrib/rpc.te |
26 |
@@ -339,6 +339,9 @@ optional_policy(` |
27 |
') |
28 |
|
29 |
optional_policy(` |
30 |
+ gssproxy_stream_connect(gssd_t) |
31 |
+') |
32 |
+optional_policy(` |
33 |
kerberos_manage_host_rcache(gssd_t) |
34 |
kerberos_read_keytab(gssd_t) |
35 |
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0") |
36 |
|
37 |
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te |
38 |
index 685f3d0f..5877621b 100644 |
39 |
--- a/policy/modules/kernel/kernel.te |
40 |
+++ b/policy/modules/kernel/kernel.te |
41 |
@@ -423,6 +423,10 @@ optional_policy(` |
42 |
rpc_tcp_rw_nfs_sockets(kernel_t) |
43 |
rpc_udp_rw_nfs_sockets(kernel_t) |
44 |
|
45 |
+ optional_policy(` |
46 |
+ gssproxy_stream_connect(kernel_t) |
47 |
+ ') |
48 |
+ |
49 |
tunable_policy(`nfs_export_all_ro',` |
50 |
fs_getattr_noxattr_fs(kernel_t) |
51 |
fs_list_noxattr_fs(kernel_t) |
52 |
|
53 |
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if |
54 |
index dbfb33da..55512c04 100644 |
55 |
--- a/policy/modules/system/userdomain.if |
56 |
+++ b/policy/modules/system/userdomain.if |
57 |
@@ -726,6 +726,10 @@ template(`userdom_common_user_template',` |
58 |
') |
59 |
|
60 |
optional_policy(` |
61 |
+ gssproxy_stream_connect($1_t) |
62 |
+ ') |
63 |
+ |
64 |
+ optional_policy(` |
65 |
hwloc_exec_dhwd($1_t) |
66 |
hwloc_read_runtime_files($1_t) |
67 |
') |