commit: 790a26f8e3601f0e6f0fc4e7a480ac7196b34567
Author: cgzones <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Jan 5 12:21:10 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 27 10:37:10 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=790a26f8
locallogin: adjustments
* do not grant permissions by negativ matching
* separate dbus from consolekit block for systemd
policy/modules/system/locallogin.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/system/locallogin.te
b/policy/modules/system/locallogin.te
index 174ba9f4..964239a4 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -33,8 +33,7 @@ role system_r types sulogin_t;
#
allow local_login_t self:capability { chown dac_override fowner fsetid kill
setgid setuid sys_nice sys_resource sys_tty_config };
-allow local_login_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
-allow local_login_t self:process { setrlimit setexec };
+allow local_login_t self:process { setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
@@ -171,7 +170,9 @@ optional_policy(`
optional_policy(`
dbus_system_bus_client(local_login_t)
- consolekit_dbus_chat(local_login_t)
+ optional_policy(`
+ consolekit_dbus_chat(local_login_t)
+ ')
')
optional_policy(`
@@ -211,7 +212,6 @@ optional_policy(`
#
allow sulogin_t self:capability dac_override;
-allow sulogin_t self:process ~{ ptrace setcurrent setexec setfscreate
setrlimit execmem execstack execheap };
allow sulogin_t self:fd use;
allow sulogin_t self:fifo_file rw_fifo_file_perms;
allow sulogin_t self:unix_dgram_socket create_socket_perms;
