On Friday, 10 April 2020 6:10:57 PM AEST Dominick Grift wrote:
> > +allow memlockd_t self:unix_dgram_socket { create connect };
>
> the unix dgram socket creating is probably redundant and implied with
> logging_send_logs_msg() as journald uses dgram_sendto for logging?
You are correct, that is redundant. Chris shall I submit the patch again or
would it be easier to just delete that line when you merge?
> > +# cache /etc/shadow too
> > +auth_read_shadow(memlockd_t)
>
> Hmm since /etc/shadow is mode 000, how is memlock able to read this
> without cap_dac_read_search access. is that implied?
/etc/shadow is mode 640 on Debian.
On other distributions the choice is either more permissions for memlockd or a
configuration that doesn't cache /etc/shadow.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
