diff options
author | Jason Zaman <jason@perfinion.com> | 2015-03-25 10:24:43 +0800 |
---|---|---|
committer | Jason Zaman <jason@perfinion.com> | 2015-03-25 23:52:05 +0800 |
commit | 05a1bdce8efe1b2c689f55e1f3018ff7df6de43d (patch) | |
tree | fd8fc517e5aa21bc65ac3f2067af222f0b615120 | |
parent | git: make inetd interface optional (diff) | |
download | hardened-refpolicy-05a1bdce8efe1b2c689f55e1f3018ff7df6de43d.tar.gz hardened-refpolicy-05a1bdce8efe1b2c689f55e1f3018ff7df6de43d.tar.bz2 hardened-refpolicy-05a1bdce8efe1b2c689f55e1f3018ff7df6de43d.zip |
rpc: introduce allow_gssd_write_tmp boolean
gssd needs to be able to write the user's kerberos token
into the ticket cache which is stored in /tmp
type=AVC msg=audit(1427206305.314:9914): avc: granted { read write
open } for pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000"
dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file
-rw-r--r-- | policy/modules/contrib/rpc.te | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index d48a94670..66f77abb9 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false) ## <desc> ## <p> +## Determine whether gssd can write +## generic user temporary content. +## </p> +## </desc> +gen_tunable(allow_gssd_write_tmp, false) + +## <desc> +## <p> ## Determine whether nfs can modify ## public files used for public file ## transfer services. Directories/Files must @@ -313,6 +321,11 @@ tunable_policy(`allow_gssd_read_tmp',` userdom_read_user_tmp_symlinks(gssd_t) ') +tunable_policy(`allow_gssd_write_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_rw_user_tmp_files(gssd_t) +') + optional_policy(` automount_signal(gssd_t) ') |