From 9adc6c5ddbf41feca2502eef8973acef16865d2f Mon Sep 17 00:00:00 2001 From: Jason Zaman Date: Fri, 3 Nov 2017 01:30:47 +0800 Subject: [PATCH] gssproxy: Allow others to stream connect kernel AVC: * Starting gssproxy ... Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied) * start-stop-daemon: failed to start `gssproxy' type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0 --- policy/modules/kernel/kernel.te | 4 ++++ policy/modules/roles/sysadm.te | 4 ++++ policy/modules/system/userdomain.if | 4 ++++ 3 files changed, 12 insertions(+) diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te index 0fc746484..22d1ebaf5 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -423,6 +423,10 @@ optional_policy(` rpc_tcp_rw_nfs_sockets(kernel_t) rpc_udp_rw_nfs_sockets(kernel_t) + optional_policy(` + gssproxy_stream_connect(kernel_t) + ') + tunable_policy(`nfs_export_all_ro',` fs_getattr_noxattr_fs(kernel_t) fs_list_noxattr_fs(kernel_t) diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te index 93c9ee5f1..d25dd34bb 100644 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -454,6 +454,10 @@ optional_policy(` gpsd_admin(sysadm_t, sysadm_r) ') +optional_policy(` + gssproxy_admin(sysadm_t) +') + optional_policy(` hadoop_role(sysadm_r, sysadm_t) ') diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index efb31d0ae..49eff3a65 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -663,6 +663,10 @@ template(`userdom_common_user_template',` dpkg_read_db($1_t) ') + optional_policy(` + gssproxy_stream_connect($1_t) + ') + optional_policy(` hwloc_exec_dhwd($1_t) hwloc_read_runtime_files($1_t)