From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 983E1158020 for ; Wed, 2 Nov 2022 14:42:59 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 06867E0A88; Wed, 2 Nov 2022 14:42:57 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id E2DCDE0A88 for ; Wed, 2 Nov 2022 14:42:56 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 370F9341081 for ; Wed, 2 Nov 2022 14:42:56 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D31F5731 for ; Wed, 2 Nov 2022 14:42:52 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1667398042.22d7dd88e5e3463edc65c36b2262ab9a22746fd2.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/radius.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 22d7dd88e5e3463edc65c36b2262ab9a22746fd2 X-VCS-Branch: master Date: Wed, 2 Nov 2022 14:42:52 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 79679f8a-a4b7-47e8-99ac-aa92cbbd2eba X-Archives-Hash: 35fc0f4a4b323bb95f84eb7cc4bc4a4f commit: 22d7dd88e5e3463edc65c36b2262ab9a22746fd2 Author: Yi Zhao windriver com> AuthorDate: Fri Jul 3 02:32:41 2020 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Wed Nov 2 14:07:22 2022 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=22d7dd88 radius: fixes for freeradius * Add dac_read_search capability to radiusd_t * Add getcap to radiusd_t process Fixes: avc: denied { dac_read_search } for pid=473 comm="radiusd" capability=2 scontext=system_u:system_r:radiusd_t tcontext=system_u:system_r:radiusd_t tclass=capability permissive=1 avc: denied { getcap } for pid=473 comm="radiusd" scontext=system_u:system_r:radiusd_t tcontext=system_u:system_r:radiusd_t tclass=process permissive=1 Signed-off-by: Yi Zhao windriver.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/services/radius.te | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/policy/modules/services/radius.te b/policy/modules/services/radius.te index e5d37e722..8ac766c39 100644 --- a/policy/modules/services/radius.te +++ b/policy/modules/services/radius.te @@ -32,9 +32,9 @@ files_type(radiusd_var_lib_t) # Local policy # -allow radiusd_t self:capability { chown dac_override fsetid kill setgid setuid sys_resource sys_tty_config }; +allow radiusd_t self:capability { chown dac_override dac_read_search fsetid kill setgid setuid sys_resource sys_tty_config }; dontaudit radiusd_t self:capability sys_tty_config; -allow radiusd_t self:process { getsched setrlimit setsched sigkill signal }; +allow radiusd_t self:process { getcap getsched setrlimit setsched sigkill signal }; allow radiusd_t self:fifo_file rw_fifo_file_perms; allow radiusd_t self:unix_stream_socket { accept listen }; allow radiusd_t self:tcp_socket { accept listen };