commit: c988737ef7f93819a734d799b1b36e4eb5e3f0ee
Author: Amadeusz Sławiński <amade <AT> asmblr <DOT> net>
AuthorDate: Tue Oct 17 21:25:45 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Oct 29 13:57:28 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=c988737e
allow dac_read_search along with dac_override
newer kernels check dac_read_search first and then for more permissions
which are allowed by dac_override
Signed-off-by: Amadeusz Sławiński <amade <AT> asmblr.net>
policy/modules/contrib/portage.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/portage.if
b/policy/modules/contrib/portage.if
index 637b0d0d..a81a4d0d 100644
--- a/policy/modules/contrib/portage.if
+++ b/policy/modules/contrib/portage.if
@@ -72,7 +72,7 @@ interface(`portage_compile_domain',`
type portage_tmp_t, portage_tmpfs_t;
')
- allow $1 self:capability { chown dac_override fowner fsetid mknod
net_raw setgid setuid };
+ allow $1 self:capability { chown dac_override dac_read_search fowner
fsetid mknod net_raw setgid setuid };
dontaudit $1 self:capability sys_chroot;
allow $1 self:process { transition signal_perms getsched setsched
getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure
siginh setrlimit rlimitinh dyntransition execmem setkeycreate setsockcreate
getrlimit };
allow $1 self:fd use;
