From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 544D3138CCB for ; Wed, 25 Mar 2015 16:01:26 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 5839AE07F1; Wed, 25 Mar 2015 16:01:25 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id A9634E07F1 for ; Wed, 25 Mar 2015 16:01:24 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 0EF5B340960 for ; Wed, 25 Mar 2015 16:01:22 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 79D7D1483D for ; Wed, 25 Mar 2015 16:01:18 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1427298725.05a1bdce8efe1b2c689f55e1f3018ff7df6de43d.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/rpc.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 05a1bdce8efe1b2c689f55e1f3018ff7df6de43d X-VCS-Branch: next Date: Wed, 25 Mar 2015 16:01:18 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 6630039a-d271-4ede-a9b1-8e27d28688ec X-Archives-Hash: 6f278efdb46496e788569e2defda3c08 Message-ID: <20150325160118.CYplJ7xU8J1TQpQ13ft-8Psiymku0tqilI-gG6bUe-0@z> commit: 05a1bdce8efe1b2c689f55e1f3018ff7df6de43d Author: Jason Zaman perfinion com> AuthorDate: Wed Mar 25 02:24:43 2015 +0000 Commit: Jason Zaman gentoo org> CommitDate: Wed Mar 25 15:52:05 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=05a1bdce rpc: introduce allow_gssd_write_tmp boolean gssd needs to be able to write the user's kerberos token into the ticket cache which is stored in /tmp type=AVC msg=audit(1427206305.314:9914): avc: granted { read write open } for pid=22562 comm="rpc.gssd" path="/tmp/krb5cc_1000" dev="tmpfs" ino=327516 scontext=system_u:system_r:gssd_t tcontext=staff_u:object_r:user_tmp_t tclass=file policy/modules/contrib/rpc.te | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index d48a946..66f77ab 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -15,6 +15,14 @@ gen_tunable(allow_gssd_read_tmp, false) ## ##

+## Determine whether gssd can write +## generic user temporary content. +##

+## +gen_tunable(allow_gssd_write_tmp, false) + +## +##

## Determine whether nfs can modify ## public files used for public file ## transfer services. Directories/Files must @@ -313,6 +321,11 @@ tunable_policy(`allow_gssd_read_tmp',` userdom_read_user_tmp_symlinks(gssd_t) ') +tunable_policy(`allow_gssd_write_tmp',` + userdom_list_user_tmp(gssd_t) + userdom_rw_user_tmp_files(gssd_t) +') + optional_policy(` automount_signal(gssd_t) ')