From: guido@trentalancia.net (Guido Trentalancia) Date: Fri, 28 Apr 2017 01:45:33 +0200 Subject: [refpolicy] [PATCH] locallogin: fine tune DAC override permissions Message-ID: <1493336733.4422.1.camel@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Improve the locallogin module by curbing on dac_override permissions in the sulogin domain (read/search permissions only). Thanks to Dominick Grift for suggesting this. Other modules are likely affected by the same issue. Signed-off-by: Guido Trentalancia --- policy/modules/system/locallogin.te | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/policy/modules/system/locallogin.te 2017-04-26 17:47:14.080423048 +0200 +++ b/policy/modules/system/locallogin.te 2017-04-28 01:33:10.287540604 +0200 @@ -216,7 +216,8 @@ optional_policy(` # Sulogin local policy # -allow sulogin_t self:capability { dac_override sys_admin sys_tty_config }; +dontaudit sulogin_t self:capability dac_override; +allow sulogin_t self:capability { dac_read_search sys_admin sys_tty_config }; allow sulogin_t self:process setexec; allow sulogin_t self:fd use; allow sulogin_t self:fifo_file rw_fifo_file_perms;