locallogin: fine tune DAC override permissions
Improve the locallogin module by curbing on dac_override permissions in the sulogin domain (read/search permissions only). Thanks to Dominick Grift for suggesting this. Other modules are likely affected by the same issue. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
This commit is contained in:
parent
bb8f9f49c3
commit
f4706daf3b
|
@ -216,7 +216,8 @@ optional_policy(`
|
||||||
# Sulogin local policy
|
# Sulogin local policy
|
||||||
#
|
#
|
||||||
|
|
||||||
allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
|
dontaudit sulogin_t self:capability dac_override;
|
||||||
|
allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
|
||||||
allow sulogin_t self:process setexec;
|
allow sulogin_t self:process setexec;
|
||||||
allow sulogin_t self:fd use;
|
allow sulogin_t self:fd use;
|
||||||
allow sulogin_t self:fifo_file rw_fifo_file_perms;
|
allow sulogin_t self:fifo_file rw_fifo_file_perms;
|
||||||
|
|
Loading…
Reference in New Issue