commit: d48b64e4e796e7cfc218228e0bd94dcae87c862c
Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au>
AuthorDate: Fri Jun 13 09:50:43 2025 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Jul 15 07:52:23 2025 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d48b64e4
This patch removed the sysadmin capability from cups. This is the one change
needed to dramatically reduce the potential damage from a compromise of cupsd.
If we do need that capability then we should have a boolean for the cases where
it's needed.
Signed-off-by: Russell Coker <russell <AT> coker.com.au>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/services/cups.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/cups.te b/policy/modules/services/cups.te
index 92efa1898..2edccc75c 100644
--- a/policy/modules/services/cups.te
+++ b/policy/modules/services/cups.te
@@ -95,7 +95,7 @@ ifdef(`enable_mls',`
# Cups local policy
#
-allow cupsd_t self:capability { chown dac_override dac_read_search fowner
fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource
sys_tty_config };
+allow cupsd_t self:capability { chown dac_override dac_read_search fowner
fsetid ipc_lock kill setgid setuid sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { net_admin sys_tty_config };
allow cupsd_t self:capability2 { block_suspend wake_alarm };
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
