Bug 522244
| Summary: | Changes for lowering capabilities project | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Steve Grubb <sgrubb> | ||||
| Component: | ConsoleKit | Assignee: | jmccann | ||||
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | low | ||||||
| Version: | rawhide | CC: | cschalle, jmccann | ||||
| Target Milestone: | --- | ||||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2009-10-01 19:00:30 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
For this patch to work, you need to BuildRequires: libcap-ng-devel and autoreconfig also needs to be run since this changes configure.ac. Hi Steve, Thanks for the patch. I imagine this is something we'd want to apply upstream right? Would you mind filing a bug here: https://bugs.freedesktop.org/enter_bug.cgi?product=ConsoleKit Thanks. Turns out there is problem with this patch. ConsoleKit seems to need CAP_DAC_OVERRIDE in addition to what's already given. Seems to be related to /dev/tty, but not 100% sure. If ConsoleKit does need DAC_OVERRIDE, then there is no possibility of confining this app. ConsoleKit is not confinable in its current implementation. |
Created attachment 360340 [details] Patch to drop capabilities Description of problem: As part of the lowering capabilities project, we should drop all unnecessary capabilities in all daemons.