commit: cd882d60b804d24d79c12313a4e6f67c92af0485
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Wed Dec 6 17:06:03 2017 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Dec 12 07:06:26 2017 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=cd882d60
Allow domains using sysnet_dns_name_resolve() interface to access NSS
mymachines files
If the machine is using the mymachine NSS module, the domain doing DNS
resolution should be able to access files under /run/systemd/machines/
policy/modules/system/sysnetwork.if | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/sysnetwork.if
b/policy/modules/system/sysnetwork.if
index a20a2d46..53c806a5 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -751,6 +751,11 @@ interface(`sysnet_dns_name_resolve',`
optional_policy(`
nscd_use($1)
')
+
+ # This seems needed when the mymachines NSS module is used
+ optional_policy(`
+ systemd_read_machines($1)
+ ')
')
########################################
