From: sven.vermeulen@siphos.be (Sven Vermeulen) Date: Thu, 28 Jun 2012 21:17:22 +0200 Subject: [refpolicy] [PATCH v2 2/6] Allow init scripts to handle sysctls In-Reply-To: <1340911046-30441-1-git-send-email-sven.vermeulen@siphos.be> References: <1340911046-30441-1-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1340911046-30441-3-git-send-email-sven.vermeulen@siphos.be> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The init script(s) that set/reset the sysctl's require the sys_admin capability (as you cannot change sysctls without it). Signed-off-by: Sven Vermeulen --- policy/modules/system/init.te | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index 9fdd704..7dfd9a9 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -222,7 +222,7 @@ optional_policy(` # allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched }; -allow initrc_t self:capability ~{ sys_admin sys_module }; +allow initrc_t self:capability ~{ sys_module }; dontaudit initrc_t self:capability sys_module; # sysctl is triggering this allow initrc_t self:passwd rootok; allow initrc_t self:key manage_key_perms; -- 1.7.3.4