From: Russell Coker <russell@coker.com.au>
To: Jason Zaman <jason@perfinion.com>
Cc: Chris PeBenito <pebenito@ieee.org>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm
Date: Fri, 04 Jan 2019 18:06:35 +1100 [thread overview]
Message-ID: <7161443.mtQlH2pOMG@liv> (raw)
In-Reply-To: <20190103051614.GB19860@baraddur.perfinion.com>
On Thursday, 3 January 2019 4:16:14 PM AEDT Jason Zaman wrote:
> > > -allow consolekit_t self:capability { chown dac_override fowner setgid
> > > setuid sys_admin sys_nice sys_ptrace sys_tty_config }; +allow
> > > consolekit_t self:capability { chown dac_override dac_read_search
> > > fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };>
> > Since you're getting the dac_read_search denial, the dac_override
> > probably isn't necessary anymore. Can you retest without it?
>
> No, consolekit definitely needs dac_override. It needs to be able to
> nuke /run/user/1000/*. it perhaps doesnt need to read only nuke but i'd
> say grant the perm instead of dontaudit makes things easier if doing
> semodule -DB.
Thanks for that comment.
As an aside we might consider a policy of having all capabilities documented
in future. For the existing policy it's going to be an unpleasant task to
comment things. But for greenfields stuff I think it makes sense to require
it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
prev parent reply other threads:[~2019-01-04 7:06 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-02 8:45 [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm Russell Coker
2019-01-03 0:07 ` Chris PeBenito
2019-01-03 5:16 ` Jason Zaman
2019-01-04 7:06 ` Russell Coker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7161443.mtQlH2pOMG@liv \
--to=russell@coker.com.au \
--cc=jason@perfinion.com \
--cc=pebenito@ieee.org \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).