From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id EDB4F13877A for ; Sun, 17 Aug 2014 09:42:17 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BF798E08D1; Sun, 17 Aug 2014 09:42:16 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 766FCE08D1 for ; Sun, 17 Aug 2014 09:42:16 +0000 (UTC) Received: from spoonbill.gentoo.org (spoonbill.gentoo.org [81.93.255.5]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 4B64134016F for ; Sun, 17 Aug 2014 09:42:15 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by spoonbill.gentoo.org (Postfix) with ESMTP id 0EF9E18816 for ; Sun, 17 Aug 2014 09:42:14 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1408267948.8bb8af09473326d9b48783118f3f0694ef6b0ed0.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/userdomain.if X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 8bb8af09473326d9b48783118f3f0694ef6b0ed0 X-VCS-Branch: master Date: Sun, 17 Aug 2014 09:42:14 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 658d467e-dfde-49e9-88eb-31fb0f211d2a X-Archives-Hash: 3a487baf1990c9fd91a05c36e7f27872 commit: 8bb8af09473326d9b48783118f3f0694ef6b0ed0 Author: Sven Vermeulen siphos be> AuthorDate: Sun Aug 17 09:32:28 2014 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Sun Aug 17 09:32:28 2014 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=8bb8af09 Add block_suspend to admin users Administrative user domains often perform system tasks in their user domain (for instance sysadm_t). These tasks should be able to run-to-complete and should not be interrupted by suspend operations that might be scheduled. Tasks that use the epoll() system might use the EPOLLWAKEUP flag to prevent suspends while epoll events are ready. This only works if CAP_BLOCK_SUSPEND is active (otherwise EPOLLWAKEUP is ignored). --- policy/modules/system/userdomain.if | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index f299e2e..5b26aef 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1243,6 +1243,8 @@ template(`userdom_admin_user_template',` ') ifdef(`distro_gentoo',` + # Grant block_suspend capability2 to administrators, this annoys the heck out of me + allow $1_t self:capability2 { block_suspend }; # Moved out of files_relabel_non_auth_files as it cannot be used in tunable_policy otherwise seutil_relabelto_bin_policy($1_t) ')