[selinux-policy: 2574/3172] Afs needs sys_admin, sends signals, and resolves hostnames from Dan Walsh
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:48:45 UTC 2010
commit 1d348bd253cac56a79a59639e54d401b4c99a0f6
Author: Jeremy Solt <jsolt at tresys.com>
Date: Mon Mar 22 13:25:07 2010 -0400
Afs needs sys_admin, sends signals, and resolves hostnames from Dan Walsh
policy/modules/services/afs.if | 2 +-
policy/modules/services/afs.te | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/services/afs.if b/policy/modules/services/afs.if
index 6f926f7..28ad29c 100644
--- a/policy/modules/services/afs.if
+++ b/policy/modules/services/afs.if
@@ -94,7 +94,7 @@ interface(`afs_initrc_domtrans',`
#
interface(`afs_admin',`
gen_require(`
- type afs_t;
+ type afs_t, afs_initrc_exec_t;
')
allow $1 afs_t:process { ptrace signal_perms getattr };
diff --git a/policy/modules/services/afs.te b/policy/modules/services/afs.te
index 1bb54b6..60cc0d4 100644
--- a/policy/modules/services/afs.te
+++ b/policy/modules/services/afs.te
@@ -71,8 +71,8 @@ role system_r types afs_vlserver_t;
# afs client local policy
#
-allow afs_t self:capability { sys_nice sys_tty_config };
-allow afs_t self:process setsched;
+allow afs_t self:capability { sys_admin sys_nice sys_tty_config };
+allow afs_t self:process { setsched signal };
allow afs_t self:udp_socket create_socket_perms;
allow afs_t self:fifo_file rw_file_perms;
allow afs_t self:unix_stream_socket create_stream_socket_perms;
@@ -105,6 +105,8 @@ logging_send_syslog_msg(afs_t)
miscfiles_read_localization(afs_t)
+sysnet_dns_name_resolve(afs_t)
+
########################################
#
# AFS bossserver local policy
More information about the scm-commits
mailing list