[389-devel] Please Review: Allow dirsrv_t to have fsetid capability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>From 24e6ca2262e1fa9114fb80b5d2f32205379d3a97 Mon Sep 17 00:00:00 2001
From: Nathan Kinder <nkinder@xxxxxxxxxx>
Date: Fri, 11 Dec 2009 10:04:36 -0800
Subject: [PATCH] Allow dirsrv_t to have fsetid capability

I ran into an SELinux violation during some testing.  This patch
allows ns-slapd to have the fsetid capability on itself, which
eliminates the AVC.
---
 selinux/dirsrv.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te
index ef09fb2..1880e6f 100644
--- a/selinux/dirsrv.te
+++ b/selinux/dirsrv.te
@@ -86,7 +86,7 @@ allow dirsrv_t self:fifo_file { read write };
 
 # process stuff
 allow dirsrv_t self:process { getsched setsched setfscreate signal_perms};
-allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override fowner };
+allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner };
 
 # semaphores
 allow dirsrv_t self:sem all_sem_perms;
-- 
1.6.2.5


--
389-devel mailing list
389-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-directory-devel
[Index of Archives]     [Fedora Directory Announce]     [Fedora Users]     [Older Fedora Users Mail]     [Fedora Advisory Board]     [Fedora Security]     [Fedora Devel Java]     [Fedora Desktop]     [ATA RAID]     [Fedora Marketing]     [Fedora Mentors]     [Fedora Package Review]     [Fedora Art]     [Fedora Music]     [Fedora Packaging]     [CentOS]     [Fedora SELinux]     [Big List of Linux Books]     [KDE Users]     [Fedora Art]     [Fedora Docs]

  Powered by Linux