diff options
| author |   Jason Zaman <jason@perfinion.com> | 2015-03-25 10:24:44 +0800 |
|---|---|---|
| committer | Jason Zaman <jason@perfinion.com> | 2015-03-25 23:52:05 +0800 |
| commit | df65cfff17b72258446578aafe99edac7ea237bd (patch) | |
| tree | 95658f49786d4d8c25eda74f327eb4330857e80b | |
| parent | rpc: introduce allow_gssd_write_tmp boolean (diff) | |
| download | hardened-refpolicy-df65cfff17b72258446578aafe99edac7ea237bd.tar.gz hardened-refpolicy-df65cfff17b72258446578aafe99edac7ea237bd.tar.bz2 hardened-refpolicy-df65cfff17b72258446578aafe99edac7ea237bd.zip | |
rpc: allow setgid capability
rpc.gssd needs to be able to setgid, otherwise using a kerberized nfs
mount fails with permission denied.
errors:
rpc.gssd[22887]: WARNING: unable to drop supplimentary groups!
rpc.gssd[22887]: WARNING: failed to change identity: Operation not permitted
denials:
type=AVC msg=audit(1427206637.030:9956): avc: denied { setgid } for
pid=22887 comm="rpc.gssd" capability=6
scontext=system_u:system_r:gssd_t tcontext=system_u:system_r:gssd_t
tclass=capability permissive=0
type=SYSCALL msg=audit(1427206637.030:9956): arch=c000003e syscall=116
success=no exit=-1 a0=0 a1=0 a2=5111a30e20 a3=31fc5672090 items=0
ppid=22763 pid=22887 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none) ses=2 comm="rpc.gssd" exe="/usr/sbin/rpc.gssd"
subj=system_u:system_r:gssd_t key=(null)
| -rw-r--r-- | policy/modules/contrib/rpc.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index 66f77abb9..cf4d1fc21 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -282,7 +282,7 @@ optional_policy(` # GSSD local policy # -allow gssd_t self:capability { dac_override dac_read_search setuid sys_nice }; +allow gssd_t self:capability { dac_override dac_read_search setuid setgid sys_nice }; allow gssd_t self:process { getsched setsched }; allow gssd_t self:fifo_file rw_fifo_file_perms; |