Don't audit blocked /var/lib/sss access
This commit is contained in:
parent
091c817631
commit
db9c92603f
@ -1,17 +1,18 @@
|
|||||||
diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
||||||
--- ./contrib/selinux/cjdns.te.selinux 2018-01-30 19:04:59.000000000 -0500
|
--- ./contrib/selinux/cjdns.te.selinux 2019-05-02 04:02:32.000000000 -0400
|
||||||
+++ ./contrib/selinux/cjdns.te 2018-03-05 01:15:40.302169785 -0500
|
+++ ./contrib/selinux/cjdns.te 2019-08-15 22:23:18.807845457 -0400
|
||||||
@@ -7,8 +7,8 @@ require {
|
@@ -7,8 +7,9 @@ require {
|
||||||
type port_t;
|
type port_t;
|
||||||
type unreserved_port_t;
|
type unreserved_port_t;
|
||||||
type tmp_t;
|
type tmp_t;
|
||||||
- type kernel_t;
|
- type kernel_t;
|
||||||
type passwd_file_t;
|
type passwd_file_t;
|
||||||
+ type net_conf_t;
|
+ type net_conf_t;
|
||||||
|
+ type sssd_var_lib_t;
|
||||||
}
|
}
|
||||||
|
|
||||||
type cjdns_t;
|
type cjdns_t;
|
||||||
@@ -17,24 +17,24 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
|
@@ -17,24 +18,26 @@ init_daemon_domain(cjdns_t,cjdns_exec_t)
|
||||||
|
|
||||||
#============= cjdns_t ==============
|
#============= cjdns_t ==============
|
||||||
# Let master process run further restricted subprocess
|
# Let master process run further restricted subprocess
|
||||||
@ -23,6 +24,8 @@ diff -up ./contrib/selinux/cjdns.te.selinux ./contrib/selinux/cjdns.te
|
|||||||
-allow cjdns_t kernel_t:system module_request;
|
-allow cjdns_t kernel_t:system module_request;
|
||||||
# translate username to uid
|
# translate username to uid
|
||||||
allow cjdns_t passwd_file_t:file { read getattr open };
|
allow cjdns_t passwd_file_t:file { read getattr open };
|
||||||
|
+# should not need sssd to lookup uid for local uid
|
||||||
|
+dontaudit cjdns_t sssd_var_lib_t:dir search;
|
||||||
|
|
||||||
+# translate host names
|
+# translate host names
|
||||||
+allow cjdns_t net_conf_t:file { read getattr open };
|
+allow cjdns_t net_conf_t:file { read getattr open };
|
||||||
|
@ -80,7 +80,7 @@
|
|||||||
Name: cjdns
|
Name: cjdns
|
||||||
# major version is cjdns protocol version:
|
# major version is cjdns protocol version:
|
||||||
Version: 20.3
|
Version: 20.3
|
||||||
Release: 6%{?dist}
|
Release: 7%{?dist}
|
||||||
Summary: The privacy-friendly network without borders
|
Summary: The privacy-friendly network without borders
|
||||||
# cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
|
# cjdns is all GPLv3 except libuv which is MIT and BSD and ISC
|
||||||
# cnacl is unused except when use_embedded is true
|
# cnacl is unused except when use_embedded is true
|
||||||
@ -635,6 +635,9 @@ fi
|
|||||||
%{_bindir}/graphStats
|
%{_bindir}/graphStats
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Aug 15 2019 Stuart Gathman <stuart@gathman.org> - 20.3-7
|
||||||
|
- Don't audit /var/lib/sss access
|
||||||
|
|
||||||
* Tue Aug 06 2019 Stuart Gathman <stuart@gathman.org> - 20.3-6
|
* Tue Aug 06 2019 Stuart Gathman <stuart@gathman.org> - 20.3-6
|
||||||
- Much simpler solution to removing sysctl calls :-)
|
- Much simpler solution to removing sysctl calls :-)
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user