On 4/10/20 5:40 AM, Russell Coker wrote:
On Friday, 10 April 2020 6:10:57 PM AEST Dominick Grift wrote:
+allow memlockd_t self:unix_dgram_socket { create connect };
the unix dgram socket creating is probably redundant and implied with
logging_send_logs_msg() as journald uses dgram_sendto for logging?
You are correct, that is redundant. Chris shall I submit the patch again or
would it be easier to just delete that line when you merge?
Please resubmit with below change too.
+# cache /etc/shadow too
+auth_read_shadow(memlockd_t)
Hmm since /etc/shadow is mode 000, how is memlock able to read this
without cap_dac_read_search access. is that implied?
/etc/shadow is mode 640 on Debian.
On other distributions the choice is either more permissions for memlockd or a
configuration that doesn't cache /etc/shadow.
Seems that we need an ifndef(`distro_debian' block with dac_read_search;
--
Chris PeBenito
