[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/contrib/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/contrib/
@ 2017-03-30 17:09 Jason Zaman
  0 siblings, 0 replies; only message in thread
From: Jason Zaman @ 2017-03-30 17:09 UTC (permalink / raw
  To: gentoo-commits

commit:     afdf0aec496a794732bd8e6d84f6fbb2adab985e
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 07:30:55 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Mar 30 16:50:40 2017 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=afdf0aec

gssproxy: Allow others to stream connect

kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0

 policy/modules/contrib/rpc.te       | 3 +++
 policy/modules/kernel/kernel.te     | 4 ++++
 policy/modules/system/userdomain.if | 4 ++++
 3 files changed, 11 insertions(+)

diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 0b9a71fc..5dd5d781 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
 	kerberos_manage_host_rcache(gssd_t)
 	kerberos_read_keytab(gssd_t)
 	kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 034d6a0b..0f82fda9 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -416,6 +416,10 @@ optional_policy(`
 	rpc_tcp_rw_nfs_sockets(kernel_t)
 	rpc_udp_rw_nfs_sockets(kernel_t)
 
+	optional_policy(`
+		gssproxy_stream_connect(kernel_t)
+	')
+
 	tunable_policy(`nfs_export_all_ro',`
 		fs_getattr_noxattr_fs(kernel_t)
 		fs_list_noxattr_fs(kernel_t)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 50100dd1..915e363e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -700,6 +700,10 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		gssproxy_stream_connect($1_t)
+	')
+
+	optional_policy(`
 		hwloc_exec_dhwd($1_t)
 		hwloc_read_runtime_files($1_t)
 	')


^ permalink raw reply related	[flat|nested] only message in thread

only message in thread, other threads:[~2017-03-30 17:10 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-03-30 17:09 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/, policy/modules/kernel/, policy/modules/contrib/ Jason Zaman

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox