From: dominick.grift@gmail.com (grift) Date: Tue, 01 Jan 2013 11:47:16 +0100 Subject: [refpolicy] [PATCH 06/12] Grant sys_admin capability to puppet In-Reply-To: <1356994351-29191-7-git-send-email-sven.vermeulen@siphos.be> References: <1356994351-29191-1-git-send-email-sven.vermeulen@siphos.be> <1356994351-29191-7-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1357037236.2088.15.camel@localhost> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote: > While gathering information, puppet invokes lspci, which requires the sys_admin > capability. > I gather that puppet loses functionality if this permission is dontaudited? sys_admin is a very broad capability This was merged, thanks > Signed-off-by: Sven Vermeulen > --- > puppet.te | 2 +- > 1 files changed, 1 insertions(+), 1 deletions(-) > > diff --git a/puppet.te b/puppet.te > index f3f1c1f..5a256e3 100644 > --- a/puppet.te > +++ b/puppet.te > @@ -58,7 +58,7 @@ files_tmp_file(puppetmaster_tmp_t) > # Local policy > # > > -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config }; > +allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config }; > allow puppet_t self:process { signal signull getsched setsched }; > allow puppet_t self:fifo_file rw_fifo_file_perms; > allow puppet_t self:netlink_route_socket nlmsg_write;