rpms/selinux-policy
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Allow abrt_dump_oops_t to drop capabilities. bz(1391040)

Browse Source
This commit is contained in:
Lukas Vrabec 2016-11-04 12:22:28 +01:00
parent 2bb5c83b3d
commit 4011be7374
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
policy-rawhide-contrib.patch
View File

@ -589,7 +589,7 @@ index 058d908..ee0c559 100644
+') +')
+ +
diff --git a/abrt.te b/abrt.te diff --git a/abrt.te b/abrt.te
index eb50f07..a308065 100644 index eb50f07..3a70d84 100644
--- a/abrt.te --- a/abrt.te
+++ b/abrt.te +++ b/abrt.te
@@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1) @@ -6,11 +6,10 @@ policy_module(abrt, 1.4.1)
@ -1071,7 +1071,7 @@ index eb50f07..a308065 100644
-allow abrt_dump_oops_t self:capability dac_override; -allow abrt_dump_oops_t self:capability dac_override;
+allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid }; +allow abrt_dump_oops_t self:capability { kill net_admin sys_ptrace ipc_lock fowner chown fsetid dac_override setuid setgid };
+allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace }; +allow abrt_dump_oops_t self:cap_userns { kill sys_ptrace };
+allow abrt_dump_oops_t self:process setfscreate; +allow abrt_dump_oops_t self:process {setfscreate setcap};
allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms; allow abrt_dump_oops_t self:fifo_file rw_fifo_file_perms;
-allow abrt_dump_oops_t self:unix_stream_socket { accept listen }; -allow abrt_dump_oops_t self:unix_stream_socket { accept listen };
+allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms; +allow abrt_dump_oops_t self:unix_stream_socket create_stream_socket_perms;
@ -39922,14 +39922,14 @@ index ca020fa..d546e07 100644
+ kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t) + kdump_rw_inherited_kdumpctl_tmp_pipes(iscsid_t)
+') +')
diff --git a/isns.te b/isns.te diff --git a/isns.te b/isns.te
index bc11034..20a7f39 100644 index bc11034..3cda6e9 100644
--- a/isns.te --- a/isns.te
+++ b/isns.te +++ b/isns.te
@@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t) @@ -26,6 +26,7 @@ files_pid_file(isnsd_var_run_t)
allow isnsd_t self:capability kill; allow isnsd_t self:capability kill;
allow isnsd_t self:process signal; allow isnsd_t self:process signal;
allow isnsd_t self:fifo_file rw_fifo_file_perms; allow isnsd_t self:fifo_file rw_fifo_file_perms;
+allow isnsd_t self:tcp_socket { listen }; +allow isnsd_t self:tcp_socket { listen accept };
allow isnsd_t self:udp_socket { accept listen }; allow isnsd_t self:udp_socket { accept listen };
allow isnsd_t self:unix_stream_socket { accept listen }; allow isnsd_t self:unix_stream_socket { accept listen };