commit: 52e9add16fe67920ed2456ca26f555f63f4e16e8 Author: Russell Coker <russell <AT> coker <DOT> com <DOT> au> AuthorDate: Tue Oct 31 01:36:16 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Tue Oct 31 05:15:22 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=52e9add1
refpolicy and certs The following patch allows mon_t to set limits for it's children and removes cert_t labelling from CA public keys (that aren't secret) so that processes which only need to verify keys (EG https clients) don't need cert_t access. policy/modules/contrib/mon.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/contrib/mon.te b/policy/modules/contrib/mon.te index ab03877b..b00c0762 100644 --- a/policy/modules/contrib/mon.te +++ b/policy/modules/contrib/mon.te @@ -45,6 +45,8 @@ files_tmp_file(mon_tmp_t) allow mon_t self:fifo_file rw_fifo_file_perms; allow mon_t self:tcp_socket create_stream_socket_perms; +# for mailxmpp.alert to set ulimit +allow mon_t self:process setrlimit; domtrans_pattern(mon_t, mon_local_test_exec_t, mon_local_test_t)
