commit: 814a47ac343732aacb70ae6440c3f5b4a4f479f6
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org>
AuthorDate: Sun Aug 14 18:51:42 2016 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Wed Aug 17 16:22:44 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=814a47ac
Update the sysnetwork module to add some permissions needed by the dhcp client
(another separate patch makes changes to the ifconfig part).
Create auxiliary interfaces in the ntp module.
The permission to execute restorecon/setfiles (required by the
dhclient-script script and granted in a previous version of this
patch) is not granted, as it does not break the script functioning.
Include revisions from Chris PeBenito.
Signed-off-by: Guido Trentalancia <guido <AT> trentalancia.net>
policy/modules/system/sysnetwork.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/sysnetwork.te
b/policy/modules/system/sysnetwork.te
index 287d2fd..c67494e 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -130,9 +130,11 @@ files_search_home(dhcpc_t)
files_search_var_lib(dhcpc_t)
files_dontaudit_search_locks(dhcpc_t)
files_getattr_generic_locks(dhcpc_t)
+files_manage_var_files(dhcpc_t)
fs_getattr_all_fs(dhcpc_t)
fs_search_auto_mountpoints(dhcpc_t)
+fs_search_cgroup_dirs(dhcpc_t)
term_dontaudit_use_all_ttys(dhcpc_t)
term_dontaudit_use_all_ptys(dhcpc_t)
@@ -227,6 +229,7 @@ optional_policy(`
optional_policy(`
ntp_initrc_domtrans(dhcpc_t)
ntp_read_drift_files(dhcpc_t)
+ ntp_read_conf_files(dhcpc_t)
')
optional_policy(`
