From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 14E8B1396D9 for ; Tue, 31 Oct 2017 05:40:21 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 75723E0EBE; Tue, 31 Oct 2017 05:40:19 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4738EE0EBE for ; Tue, 31 Oct 2017 05:40:17 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id C35A0341708 for ; Tue, 31 Oct 2017 05:40:15 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 3535D9AD for ; Tue, 31 Oct 2017 05:40:14 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1509426922.52e9add16fe67920ed2456ca26f555f63f4e16e8.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/mon.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 52e9add16fe67920ed2456ca26f555f63f4e16e8 X-VCS-Branch: master Date: Tue, 31 Oct 2017 05:40:14 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: fd22df78-fb48-457c-90a0-47e7cc598aed X-Archives-Hash: 46f08e6551671f10f6315833091cdcde commit: 52e9add16fe67920ed2456ca26f555f63f4e16e8 Author: Russell Coker coker com au> AuthorDate: Tue Oct 31 01:36:16 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Tue Oct 31 05:15:22 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52e9add1 refpolicy and certs The following patch allows mon_t to set limits for it's children and removes cert_t labelling from CA public keys (that aren't secret) so that processes which only need to verify keys (EG https clients) don't need cert_t access. policy/modules/contrib/mon.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te index ab03877b..b00c0762 100644 --- a/policy/modules/contrib/mon.te +++ b/policy/modules/contrib/mon.te @@ -45,6 +45,8 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; +# for mailxmpp.alert to set ulimit +allow mon_t self:process setrlimit; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)