diff options
| author |   Chris PeBenito <chpebeni@linux.microsoft.com> | 2024-02-29 09:53:18 -0500 |
|---|---|---|
| committer |   Kenton Groombridge <concord@gentoo.org> | 2024-05-14 13:40:53 -0400 |
| commit | 6e0b06bb71b83898e444d21a02153d51b8c64b8f (patch) | |
| tree | 5753ef1216d1b4509c317624ee376a3c01a1762d | |
| parent | docker: Fix dockerc typo in container_engine_executable_file (diff) | |
| download | hardened-refpolicy-6e0b06bb71b83898e444d21a02153d51b8c64b8f.tar.gz hardened-refpolicy-6e0b06bb71b83898e444d21a02153d51b8c64b8f.tar.bz2 hardened-refpolicy-6e0b06bb71b83898e444d21a02153d51b8c64b8f.zip | |
minissdpd: Revoke kernel module loading permissions.
This domain also calls kernel_request_load_module(), which should be
sufficent.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
| -rw-r--r-- | policy/modules/services/minissdpd.te | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/policy/modules/services/minissdpd.te b/policy/modules/services/minissdpd.te index cf8bd9d85..909d019b8 100644 --- a/policy/modules/services/minissdpd.te +++ b/policy/modules/services/minissdpd.te @@ -23,7 +23,7 @@ files_runtime_file(minissdpd_runtime_t) # Local policy # -allow minissdpd_t self:capability { net_admin sys_module }; +allow minissdpd_t self:capability net_admin; allow minissdpd_t self:netlink_route_socket r_netlink_socket_perms; allow minissdpd_t self:udp_socket create_socket_perms; allow minissdpd_t self:unix_dgram_socket create_socket_perms; @@ -33,7 +33,6 @@ allow minissdpd_t minissdpd_runtime_t:file manage_file_perms; allow minissdpd_t minissdpd_runtime_t:sock_file manage_sock_file_perms; files_runtime_filetrans(minissdpd_t, minissdpd_runtime_t, { file sock_file }) -kernel_load_module(minissdpd_t) kernel_read_network_state(minissdpd_t) kernel_request_load_module(minissdpd_t) |