diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 446197e..5472419 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -1,5 +1,5 @@ -policy_module(usermanage,1.3.6) +policy_module(usermanage,1.3.7) ######################################## # @@ -187,7 +187,7 @@ optional_policy(` # Groupadd local policy # -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource }; +allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; dontaudit groupadd_t self:capability fsetid; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; @@ -450,7 +450,7 @@ optional_policy(` # Useradd local policy # -allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource }; +allow useradd_t self:capability { dac_override chown kill fowner fsetid setuid sys_resource audit_write }; allow useradd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow useradd_t self:process setfscreate; allow useradd_t self:fd use; diff --git a/policy/modules/services/dbus.if b/policy/modules/services/dbus.if index dd77cfc..f134efa 100644 --- a/policy/modules/services/dbus.if +++ b/policy/modules/services/dbus.if @@ -69,6 +69,7 @@ template(`dbus_per_userdomain_template',` # Local policy # + allow $1_dbusd_t self:capability audit_write; allow $1_dbusd_t self:process { getattr sigkill signal }; allow $1_dbusd_t self:file { getattr read write }; allow $1_dbusd_t self:dbus { send_msg acquire_svc }; diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 6fd0076..1be84ef 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -1,5 +1,5 @@ -policy_module(dbus,1.2.6) +policy_module(dbus,1.2.7) gen_require(` class dbus { send_msg acquire_svc }; @@ -30,7 +30,7 @@ files_pid_file(system_dbusd_var_run_t) # dac_override: /var/run/dbus is owned by messagebus on Debian # cjp: dac_override should probably go in a distro_debian -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid }; +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid audit_write }; dontaudit system_dbusd_t self:capability sys_tty_config; allow system_dbusd_t self:process { getattr signal_perms setcap }; allow system_dbusd_t self:fifo_file { read write }; diff --git a/policy/modules/services/nscd.te b/policy/modules/services/nscd.te index 1b44ce8..94ab050 100644 --- a/policy/modules/services/nscd.te +++ b/policy/modules/services/nscd.te @@ -1,5 +1,5 @@ -policy_module(nscd,1.2.5) +policy_module(nscd,1.2.6) gen_require(` class nscd all_nscd_perms; @@ -28,7 +28,7 @@ logging_log_file(nscd_log_t) # Local policy # -allow nscd_t self:capability { kill setgid setuid }; +allow nscd_t self:capability { kill setgid setuid audit_write }; dontaudit nscd_t self:capability sys_tty_config; allow nscd_t self:process { getattr setsched signal_perms }; allow nscd_t self:fifo_file { read write }; diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index a6bdb4e..4df9bc8 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -29,6 +29,7 @@ template(`authlogin_common_auth_domain_template',` allow $1_chkpwd_t self:capability { audit_write audit_control setuid }; allow $1_chkpwd_t self:process getattr; + allow $1_chkpwd_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; files_list_etc($1_chkpwd_t) allow $1_chkpwd_t shadow_t:file { getattr read }; diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 209101a..7e6ca34 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -1,5 +1,5 @@ -policy_module(authlogin,1.3.7) +policy_module(authlogin,1.3.8) ######################################## # diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te index 05aea9f..aada013 100644 --- a/policy/modules/system/selinuxutil.te +++ b/policy/modules/system/selinuxutil.te @@ -1,5 +1,5 @@ -policy_module(selinuxutil,1.2.8) +policy_module(selinuxutil,1.2.9) gen_require(` bool secure_mode; @@ -534,7 +534,7 @@ ifdef(`targeted_policy',`',` # semodule local policy # -allow semanage_t self:capability dac_override; +allow semanage_t self:capability { dac_override audit_write }; allow semanage_t self:unix_stream_socket create_stream_socket_perms; allow semanage_t self:unix_dgram_socket create_socket_perms; allow semanage_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };