commit: 22d7dd88e5e3463edc65c36b2262ab9a22746fd2
Author: Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Fri Jul 3 02:32:41 2020 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Wed Nov 2 14:07:22 2022 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22d7dd88
radius: fixes for freeradius
* Add dac_read_search capability to radiusd_t
* Add getcap to radiusd_t process
Fixes:
avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1
avc: denied { getcap } for pid=473 comm="radiusd"
scontext=system_u:system_r:radiusd_t
tcontext=system_u:system_r:radiusd_t tclass=process permissive=1
Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/services/radius.te | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/radius.te
b/policy/modules/services/radius.te
index e5d37e722..8ac766c39 100644
--- a/policy/modules/services/radius.te
+++ b/policy/modules/services/radius.te
@@ -32,9 +32,9 @@ files_type(radiusd_var_lib_t)
# Local policy
#
-allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid
sys_resource sys_tty_config };
+allow radiusd_t self:capability { chown dac_override dac_read_search fsetid
kill setgid setuid sys_resource sys_tty_config };
dontaudit radiusd_t self:capability sys_tty_config;
-allow radiusd_t self:process { getsched setrlimit setsched sigkill signal };
+allow radiusd_t self:process { getcap getsched setrlimit setsched sigkill
signal };
allow radiusd_t self:fifo_file rw_fifo_file_perms;
allow radiusd_t self:unix_stream_socket { accept listen };
allow radiusd_t self:tcp_socket { accept listen };
