locallogin: fine tune DAC override permissions

Improve the locallogin module by curbing on dac_override permissions in the sulogin domain (read/search permissions only). Thanks to Dominick Grift for suggesting this. Other modules are likely affected by the same issue. Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
2017-04-28 01:45:33 +02:00 · 2017-04-28 01:45:33 +02:00 · f4706daf3b
parent bb8f9f49c3
commit f4706daf3b
1 changed files with 2 additions and 1 deletions
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@ -216,7 +216,8 @@ optional_policy(`
 # Sulogin local policy
 #

-allow sulogin_t self:capability { dac_override sys_admin sys_tty_config };
+dontaudit sulogin_t self:capability dac_override;
+allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config };
 allow sulogin_t self:process setexec;
 allow sulogin_t self:fd use;
 allow sulogin_t self:fifo_file rw_fifo_file_perms;