sysnetwork: fix privilege separation functionality of dhcpcd
Fixes: dhcpcd[410]: ps_dropprivs: chroot: /var/lib/dhcpcd: Operation not permitted dhcpcd[410]: failed to drop privileges: Operation not permitted dhcpcd[264]: setrlimit RLIMIT_NOFILE: Permission denied dhcpcd[264]: setrlimit RLIMIT_NPROC: Permission denied avc: denied { sys_chroot } for pid=332 comm="dhcpcd" capability=18 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setgid } for pid=332 comm="dhcpcd" capability=6 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setuid } for pid=332 comm="dhcpcd" capability=7 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=capability permissive=0 avc: denied { setrlimit } for pid=332 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=process permissive=0 avc: denied { getattr } for pid=330 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
parent
b1f16bf755
commit
77fd73e6b8
@ -61,11 +61,11 @@ ifdef(`distro_debian',`
|
||||
#
|
||||
# DHCP client local policy
|
||||
#
|
||||
allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setpcap sys_nice sys_resource sys_tty_config };
|
||||
allow dhcpc_t self:capability { dac_override fsetid net_admin net_bind_service net_raw setgid setpcap setuid sys_chroot sys_nice sys_resource sys_tty_config };
|
||||
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
|
||||
# for access("/etc/bashrc", X_OK) on Red Hat
|
||||
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
|
||||
allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
|
||||
allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms setrlimit };
|
||||
allow dhcpc_t self:cap_userns { net_bind_service };
|
||||
|
||||
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
|
||||
@ -149,6 +149,7 @@ files_getattr_generic_locks(dhcpc_t)
|
||||
files_manage_var_files(dhcpc_t)
|
||||
|
||||
fs_getattr_all_fs(dhcpc_t)
|
||||
fs_getattr_nsfs_files(dhcpc_t)
|
||||
fs_search_auto_mountpoints(dhcpc_t)
|
||||
fs_search_cgroup_dirs(dhcpc_t)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user