Skip to content
This repository has been archived by the owner on Sep 18, 2019. It is now read-only.

Fix AVC dac_read_search with new kernel #6

Open
wants to merge 3 commits into
base: master
Choose a base branch
from
Open

Fix AVC dac_read_search with new kernel #6

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8eaa9bd
Remove capability DAC_OVERRIDE
Mar 17, 2018
7a5e719
Allow to read dogtag files
Mar 17, 2018
85b85cc
Suppress dac_override AVCs with old kernel
Mar 17, 2018
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions ipa_custodia.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@ files_tmp_file(ipa_custodia_tmp_t)
# ipa_custodia local policy
#

# DAC_OVERRIDE to read Dogtag's key material
allow ipa_custodia_t self:capability {net_admin dac_override};
allow ipa_custodia_t self:capability { net_admin dac_read_search };
dontaudit ipa_custodia_t self:capability dac_override;
allow ipa_custodia_t self:process execmem;
allow ipa_custodia_t self:fifo_file rw_fifo_file_perms;
allow ipa_custodia_t self:unix_stream_socket create_stream_socket_perms;
Expand Down