commit: 74986b6148745779596c8604e6f6e489a2c89c13 Author: Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be> AuthorDate: Sun Nov 23 12:46:08 2014 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Sun Nov 23 12:46:08 2014 +0000 URL: http://sources.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=74986b61
OpenRC cgroup helper requires dac_override privilege Managing and updating cgroups through the kernel-invoked openrc cgroup helper has the helper run under root privileges, but accessing files (reading mostly) that are owned by a different user. --- policy/modules/contrib/openrc.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/openrc.te b/policy/modules/contrib/openrc.te index bf5a336..91afb6e 100644 --- a/policy/modules/contrib/openrc.te +++ b/policy/modules/contrib/openrc.te @@ -13,6 +13,7 @@ role system_r types openrc_cgroup_release_t; # OpenRC cgroup release policy # +allow openrc_cgroup_release_t self:capability dac_override; allow openrc_cgroup_release_t self:unix_stream_socket create_socket_perms; kernel_domtrans_to(openrc_cgroup_release_t, openrc_cgroup_release_exec_t)
