diff options
| author | Nathan Kinder <nkinder@redhat.com> | 2009-12-11 10:04:36 -0800 |
|---|---|---|
| committer | Nathan Kinder <nkinder@redhat.com> | 2009-12-11 10:04:36 -0800 |
| commit | 24e6ca2262e1fa9114fb80b5d2f32205379d3a97 (patch) | |
| tree | 7d79613ea6ff9b9fc315a57c657546b4d53f1737 | |
| parent | 9f337eb80b6446c2f99eef600f55392dbf4970cb (diff) | |
| download | ds-24e6ca2262e1fa9114fb80b5d2f32205379d3a97.tar.gz ds-24e6ca2262e1fa9114fb80b5d2f32205379d3a97.tar.xz ds-24e6ca2262e1fa9114fb80b5d2f32205379d3a97.zip | |
Allow dirsrv_t to have fsetid capability
I ran into an SELinux violation during some testing. This patch
allows ns-slapd to have the fsetid capability on itself, which
eliminates the AVC.
| -rw-r--r-- | selinux/dirsrv.te | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/selinux/dirsrv.te b/selinux/dirsrv.te index ef09fb29..1880e6f8 100644 --- a/selinux/dirsrv.te +++ b/selinux/dirsrv.te @@ -86,7 +86,7 @@ allow dirsrv_t self:fifo_file { read write }; # process stuff allow dirsrv_t self:process { getsched setsched setfscreate signal_perms}; -allow dirsrv_t self:capability { sys_nice setuid setgid chown dac_override fowner }; +allow dirsrv_t self:capability { sys_nice setuid setgid fsetid chown dac_override fowner }; # semaphores allow dirsrv_t self:sem all_sem_perms; |