commit: 05a1bdce8efe1b2c689f55e1f3018ff7df6de43d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05a1bdce
rpc: introduce allow_gssd_write_tmp boolean
gssd needs to be able to write the user's kerberos token
into the ticket cache which is stored in /tmp
type=AVC msg=audit(1427206305.314:9914): avc: granted { read write
open } for pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000"
dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file
policy/modules/contrib/rpc.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index d48a946..66f77ab 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
+## Determine whether gssd can write
+## generic user temporary content.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+## <p>
## Determine whether nfs can modify
## public files used for public file
## transfer services. Directories/Files must
@@ -313,6 +321,11 @@ tunable_policy(`allow_gssd_read_tmp',`
userdom_read_user_tmp_symlinks(gssd_t)
')
+tunable_policy(`allow_gssd_write_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_rw_user_tmp_files(gssd_t)
+')
+
optional_policy(`
automount_signal(gssd_t)
')
