Allow abrt_dump_oops_t to drop capabilities. bz(1391040)
This commit is contained in:
Lukas Vrabec
parent
2bb5c83b3d
commit
4011be7374
@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
|
||||
+')
|
||||
+
|
||||
diff --git a/abrt.te b/abrt.te
|
||||
index eb50f07..a308065 100644
|
||||
index eb50f07..3a70d84 100644
|
||||
--- a/abrt.te
|
||||
+++ b/abrt.te
|
||||
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
|
||||
@ -1071,7 +1071,7 @@ index eb50f07..a308065 100644
|
||||
-allow abrt_dump_oops_t self:capability dac_override;
|
||||
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
|
||||
+allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
|
||||
+allow abrt_dump_oops_t self:process setfscreate;
|
||||
+allow abrt_dump_oops_t self:process {setfscreate setcap};
|
||||
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
|
||||
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
|
||||
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
|
||||
@ -39922,14 +39922,14 @@ index ca020fa..d546e07 100644
|
||||
+ kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
|
||||
+')
|
||||
diff --git a/isns.te b/isns.te
|
||||
index bc11034..20a7f39 100644
|
||||
index bc11034..3cda6e9 100644
|
||||
--- a/isns.te
|
||||
+++ b/isns.te
|
||||
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
|
||||
allow isnsd_t self:capability kill;
|
||||
allow isnsd_t self:process signal;
|
||||
allow isnsd_t self:fifo_file rw_fifo_file_perms;
|
||||
+allow isnsd_t self:tcp_socket { listen };
|
||||
+allow isnsd_t self:tcp_socket { listen accept };
|
||||
allow isnsd_t self:udp_socket { accept listen };
|
||||
allow isnsd_t self:unix_stream_socket { accept listen };
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user