* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/kernel/, policy/modules/system/
@ 2017-05-25 17:08 Jason Zaman
0 siblings, 0 replies; 2+ messages in thread
From: Jason Zaman @ 2017-05-25 17:08 UTC (permalink / raw
To: gentoo-commits
commit: de8ad58a6a9103f443b733400d2f7980944bfcd0
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 07:30:55 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu May 25 17:03:59 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=de8ad58a
gssproxy: Allow others to stream connect
kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
policy/modules/contrib/rpc.te | 3 +++
policy/modules/kernel/kernel.te | 4 ++++
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 11 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index a8a83400..c7855fef 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 685f3d0f..5877621b 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
+ optional_policy(`
+ gssproxy_stream_connect(kernel_t)
+ ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index dbfb33da..55512c04 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -726,6 +726,10 @@ template(`userdom_common_user_template',`
')
optional_policy(`
+ gssproxy_stream_connect($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/kernel/, policy/modules/system/
@ 2017-09-10 14:03 Jason Zaman
0 siblings, 0 replies; 2+ messages in thread
From: Jason Zaman @ 2017-09-10 14:03 UTC (permalink / raw
To: gentoo-commits
commit: 61a9be757ac82bad3c2c01f4395a7720b317e008
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Thu Mar 30 07:30:55 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:53:30 2017 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=61a9be75
gssproxy: Allow others to stream connect
kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
policy/modules/contrib/rpc.te | 3 +++
policy/modules/kernel/kernel.te | 4 ++++
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 11 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index 970e5b31..b46d865f 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -339,6 +339,9 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_stream_connect(gssd_t)
+')
+optional_policy(`
kerberos_manage_host_rcache(gssd_t)
kerberos_read_keytab(gssd_t)
kerberos_tmp_filetrans_host_rcache(gssd_t, file, "nfs_0")
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 5d8404de..432fa86e 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
+ optional_policy(`
+ gssproxy_stream_connect(kernel_t)
+ ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 88fdb823..f93f946c 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -686,6 +686,10 @@ template(`userdom_common_user_template',`
')
optional_policy(`
+ gssproxy_stream_connect($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-09-10 14:04 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-05-25 17:08 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/, policy/modules/kernel/, policy/modules/system/ Jason Zaman
-- strict thread matches above, loose matches on Subject: below --
2017-09-10 14:03 Jason Zaman
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox