commit: 770ab52d286978f77fc9ebc650cbf0a8f04663ce Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Wed Jul 15 13:44:53 2015 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Wed Jul 15 13:44:53 2015 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=770ab52d
Fix avc_context_to_raw assertion in su domains (bug #554080) Although earlier investigations on the same matter [1] did not result in a good fix (it seemed that the permissions where needed for the wrong reasons, but would most likely require a fix in either the application that is SELinux-aware or in how the permissions are handled). It does not look like we will see a proper solution in the near future. [1] http://oss.tresys.com/pipermail/refpolicy/2014-April/007058.html So allow the permissions (without write / send/recv_msg) to allow su domains to go forward. X-Gentoo-Bug: 554080 X-Gentoo-Bug-URL: https://bugs.gentoo.org/show_bug.cgi?id=554080 policy/modules/admin/su.if | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index aea8a4f..a069cb8 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -119,6 +119,8 @@ template(`su_restricted_domain_template', ` ') ifdef(`distro_gentoo',` + # Fix bug 554080 - Allow su to query SELinux subsystem (netlink_selinux_socket) + allow $1_su_t self:netlink_selinux_socket { create bind read }; selinux_get_fs_mount($1_su_t) ') ')
