Bug 1480518 - Define nnp_nosuid_transition policy capability
Define nnp_nosuid_transition policy capability
Status: POST
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: selinux-policy (Show other bugs)
7.5
All Linux
high Severity high
: rc
: ---
Assigned To: Lukas Vrabec
Milos Malik
:
Depends On:
Blocks: 1480519 1480521 1490330
  Show dependency treegraph
 
Reported: 2017-08-11 05:57 EDT by Lukas Vrabec
Modified: 2017-09-11 12:10 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1480519 1480521 (view as bug list)
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Lukas Vrabec 2017-08-11 05:57:25 EDT
Define the nnp_nosuid_transition policy capability used to enable SELinux domain transitions under NNP or nosuid if the nnp_transition permission or nosuid_transition permission is allowed between the old and new contexts. When this capability is not enabled, such transitions remain limited to bounded transitions as they were prior to the introduction of this capability.

This feature allows us to create SELinux security policy for systemd services with systemd security feature called: NoNewPrivileges. 

Affected RHEL components: kernel, libsepol, selinux-policy
Comment 2 Lukas Vrabec 2017-08-11 06:00:01 EDT
Following commits needs to be backported from Fedora Rawhide:
commit aba089a03c5bc225b4643142dbeca0fc4522c685
Author: Chris PeBenito <pebenito@ieee.org>
Date:   Sat Aug 5 12:22:05 2017 -0400

    init: Add NoNewPerms support for systemd.

commit ba9f3ac2bfe2e131a5bd7e8a75c0e70386cc5d43
Author: Chris PeBenito <pebenito@ieee.org>
Date:   Sat Aug 5 12:13:21 2017 -0400

    Add nnp_nosuid_transition policycap and related class/perm definitions.

Note You need to log in before you can comment on or make changes to this bug.