37 lines
1.3 KiB
Diff
37 lines
1.3 KiB
Diff
From 62d5fd70550ba0f6564c5240c369c421b1415eb9 Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Thu, 3 Mar 2022 16:57:41 +0100
|
|
Subject: [PATCH] Allow rngd drop privileges via setuid/setgid/setcap
|
|
|
|
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/62d5fd70550ba0f6564c5240c369c421b1415eb9
|
|
Conflict: NA
|
|
|
|
The rngd service starts as root to be able to access some resources
|
|
like /dev/hwrng, then it drops capabilities and changes ruid/euid/suid
|
|
and rgid/egid/sgid.
|
|
|
|
Resolves: rhbz#2058914
|
|
Signed-off-by: lujie54 <lujie54@huawei.com>
|
|
---
|
|
policy/modules/contrib/rngd.te | 4 ++--
|
|
1 file changed, 2 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/policy/modules/contrib/rngd.te b/policy/modules/contrib/rngd.te
|
|
index 316d210..ca8c996 100644
|
|
--- a/policy/modules/contrib/rngd.te
|
|
+++ b/policy/modules/contrib/rngd.te
|
|
@@ -30,8 +30,8 @@ files_pid_file(rngd_var_run_t)
|
|
# Local policy
|
|
#
|
|
|
|
-allow rngd_t self:capability { ipc_lock sys_admin };
|
|
-allow rngd_t self:process { setsched signal };
|
|
+allow rngd_t self:capability { ipc_lock setgid setuid sys_admin };
|
|
+allow rngd_t self:process { setcap setsched signal };
|
|
allow rngd_t self:fifo_file rw_fifo_file_perms;
|
|
allow rngd_t self:netlink_kobject_uevent_socket create_socket_perms;
|
|
allow rngd_t self:unix_stream_socket { accept listen };
|
|
--
|
|
1.8.3.1
|
|
|