Skip to content
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.

Commit b8e3364

Browse files
yixiangzhikesimo5
authored andcommittedMar 6, 2025·
Revert "Remove the NoNewPrivileges because it breaks the ability to open socket"
Selinux-policy has allowed init_t nnp domain transition to gssproxy_t in the commit 95d5f5e. Now it is ok to enable NoNewPrivileges for gssproxy.service. Signed-off-by: yixiangzhike <yixiangzhike007@163.com>
1 parent 66e7c5c commit b8e3364

File tree

1 file changed

+1
-4
lines changed

1 file changed

+1
-4
lines changed
 

‎systemd/gssproxy.service.in

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -54,10 +54,7 @@ PrivateMounts=yes
5454
SystemCallFilter=@system-service
5555
SystemCallErrorNumber=EPERM
5656
SystemCallArchitectures=native
57-
# NoNewPrivileges=yes
58-
# NoNewPrivileges: If it is true, it breaks the ability
59-
# to open a socket under /var/lib/gssproxy when selinux enabled.
60-
# So it is commented out here.
57+
NoNewPrivileges=yes
6158
CapabilityBoundingSet=CAP_DAC_OVERRIDE
6259
IPAddressDeny=any
6360
UMask=0177

0 commit comments

Comments
 (0)
Please sign in to comment.