[refpolicy] [PATCH 3/5] gssproxy: Allow others to stream connect

Jason Zaman jason at perfinion.com
Tue Oct 31 05:37:05 UTC 2017


kernel AVC:
 * Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
 * start-stop-daemon: failed to start `gssproxy'

type=AVC msg=audit(1490858215.578:386110): avc:  denied  { connectto } for  pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
---
 policy/modules/kernel/kernel.te     | 4 ++++
 policy/modules/system/userdomain.if | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 0fc74648..22d1ebaf 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
 	rpc_tcp_rw_nfs_sockets(kernel_t)
 	rpc_udp_rw_nfs_sockets(kernel_t)
 
+	optional_policy(`
+		gssproxy_stream_connect(kernel_t)
+	')
+
 	tunable_policy(`nfs_export_all_ro',`
 		fs_getattr_noxattr_fs(kernel_t)
 		fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 50035674..20b2391e 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
 	')
 
 	optional_policy(`
+		gssproxy_stream_connect($1_t)
+	')
+
+	optional_policy(`
 		hwloc_exec_dhwd($1_t)
 		hwloc_read_runtime_files($1_t)
 	')
-- 
2.13.6



More information about the refpolicy mailing list