[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/roles/, policy/modules/system/, policy/modules/kernel/

Sun, 05 Nov 2017 01:02:40 -0700 

commit:     70ca70457e34ca1d4a14d57bf953ef63eef324d2
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Nov  2 17:30:47 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Nov  5 06:38:35 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=70ca7045

gssproxy: Allow others to stream connect

kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  
pid=25447 comm="gssproxy" path="/run/gssproxy.sock" 
scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 
tclass=unix_stream_socket permissive=0

 policy/modules/kernel/kernel.te     | 4 ++++
 policy/modules/roles/sysadm.te      | 4 ++++
 policy/modules/system/userdomain.if | 4 ++++
 3 files changed, 12 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5d8404de..432fa86e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
        rpc_tcp_rw_nfs_sockets(kernel_t)
        rpc_udp_rw_nfs_sockets(kernel_t)
 
+       optional_policy(`
+               gssproxy_stream_connect(kernel_t)
+       ')
+
        tunable_policy(`nfs_export_all_ro',`
                fs_getattr_noxattr_fs(kernel_t)
                fs_list_noxattr_fs(kernel_t)

diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 47179088..407ca87f 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -455,6 +455,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+       gssproxy_admin(sysadm_t)
+')
+
+optional_policy(`
        hadoop_role(sysadm_r, sysadm_t)
 ')
 

diff --git a/policy/modules/system/userdomain.if 
b/policy/modules/system/userdomain.if
index 178b5fb7..2f7afd72 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -686,6 +686,10 @@ template(`userdom_common_user_template',`
        ')
 
        optional_policy(`
+               gssproxy_stream_connect($1_t)
+       ')
+
+       optional_policy(`
                hwloc_exec_dhwd($1_t)
                hwloc_read_runtime_files($1_t)
        ')

Reply via email to