From mboxrd@z Thu Jan 1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-786097-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
by finch.gentoo.org (Postfix) with ESMTP id 544D3138CCB
for <garchives@archives.gentoo.org>; Wed, 25 Mar 2015 16:01:26 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
by pigeon.gentoo.org (Postfix) with SMTP id 5839AE07F1;
Wed, 25 Mar 2015 16:01:25 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by pigeon.gentoo.org (Postfix) with ESMTPS id A9634E07F1
for <gentoo-commits@lists.gentoo.org>; Wed, 25 Mar 2015 16:01:24 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by smtp.gentoo.org (Postfix) with ESMTPS id 0EF5B340960
for <gentoo-commits@lists.gentoo.org>; Wed, 25 Mar 2015 16:01:22 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
by oystercatcher.gentoo.org (Postfix) with ESMTP id 79D7D1483D
for <gentoo-commits@lists.gentoo.org>; Wed, 25 Mar 2015 16:01:18 +0000 (UTC)
From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" <perfinion@gentoo.org>
Message-ID: <1427298725.05a1bdce8efe1b2c689f55e1f3018ff7df6de43d.perfinion@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/contrib/rpc.te
X-VCS-Directories: policy/modules/contrib/
X-VCS-Committer: perfinion
X-VCS-Committer-Name: Jason Zaman
X-VCS-Revision: 05a1bdce8efe1b2c689f55e1f3018ff7df6de43d
X-VCS-Branch: next
Date: Wed, 25 Mar 2015 16:01:18 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: 6630039a-d271-4ede-a9b1-8e27d28688ec
X-Archives-Hash: 6f278efdb46496e788569e2defda3c08
Message-ID: <20150325160118.CYplJ7xU8J1TQpQ13ft-8Psiymku0tqilI-gG6bUe-0@z>
commit: 05a1bdce8efe1b2c689f55e1f3018ff7df6de43d
Author: Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Wed Mar 25 02:24:43 2015 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Mar 25 15:52:05 2015 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05a1bdce
rpc: introduce allow_gssd_write_tmp boolean
gssd needs to be able to write the user's kerberos token
into the ticket cache which is stored in /tmp
type=AVC msg=audit(1427206305.314:9914): avc: granted { read write
open } for pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000"
dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t
tcontext=staff_u:object_r:user_tmp_t tclass=file
policy/modules/contrib/rpc.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te
index d48a946..66f77ab 100644
--- a/policy/modules/contrib/rpc.te
+++ b/policy/modules/contrib/rpc.te
@@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false)
## <desc>
## <p>
+## Determine whether gssd can write
+## generic user temporary content.
+## </p>
+## </desc>
+gen_tunable(allow_gssd_write_tmp, false)
+
+## <desc>
+## <p>
## Determine whether nfs can modify
## public files used for public file
## transfer services. Directories/Files must
@@ -313,6 +321,11 @@ tunable_policy(`allow_gssd_read_tmp',`
userdom_read_user_tmp_symlinks(gssd_t)
')
+tunable_policy(`allow_gssd_write_tmp',`
+ userdom_list_user_tmp(gssd_t)
+ userdom_rw_user_tmp_files(gssd_t)
+')
+
optional_policy(`
automount_signal(gssd_t)
')