commit: 9771f955615ba799aa321147a1730dda60e99a00
Author: Adam Tkac <adam.tkac <AT> gooddata <DOT> com>
AuthorDate: Tue Jun 21 13:08:33 2016 +0000
Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org>
CommitDate: Sun Jul 3 11:32:26 2016 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=9771f955
Grant certmonger "chown" capability
After autorenewal of the certificate, "chown" capability is needed
to change certificate user/group to daemon's user/group.
policy/modules/contrib/certmonger.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/contrib/certmonger.te
b/policy/modules/contrib/certmonger.te
index 7c3126e..034ffa3 100644
--- a/policy/modules/contrib/certmonger.te
+++ b/policy/modules/contrib/certmonger.te
@@ -23,7 +23,7 @@ files_pid_file(certmonger_var_run_t)
# Local policy
#
-allow certmonger_t self:capability { dac_override dac_read_search setgid
setuid kill sys_nice };
+allow certmonger_t self:capability { chown dac_override dac_read_search setgid
setuid kill sys_nice };
dontaudit certmonger_t self:capability sys_tty_config;
allow certmonger_t self:capability2 block_suspend;
allow certmonger_t self:process { getsched setsched sigkill signal };
