I'm using linux-3.15.10-hardened-r2 along with gradm-3.0-201407222118.
I don't know how long this new capability CAP_BLOCK_SUSPEND has been around in the kernel (I see it in linux-3.15.9-hardened), but somehow it hasn't been triggered until lately. Maybe it's the new systemd-216, I didn't see that for systemd-215 on a previous kernel with the capability already present. So systemd-216 asks for it but works without it. Dovecot also claims this capability for some reason I don't really understand, but it also works without it.
In the mean time gradm's last capability is still CAP_WAKE_ALARM. If I add the capability to the policy gradm therefore complains about the unknown capability. Adding the new capability is trivial and solves the situation.
- Code: Select all
diff -urN gradm-orig/gradm_cap.c gradm-dw/gradm_cap.c
--- gradm-orig/gradm_cap.c 2014-07-17 02:22:13.000000000 +0200
+++ gradm-dw/gradm_cap.c 2014-08-29 15:03:01.872462751 +0200
@@ -57,6 +57,7 @@
{"CAP_MAC_ADMIN", 33},
{"CAP_SYSLOG", 34},
{"CAP_WAKE_ALARM", 35},
+ {"CAP_BLOCK_SUSPEND", 36},
{"CAP_ALL", ~0}
};
diff -urN gradm-orig/gradm_defs.h gradm-dw/gradm_defs.h
--- gradm-orig/gradm_defs.h 2014-07-17 02:22:13.000000000 +0200
+++ gradm-dw/gradm_defs.h 2014-08-29 15:03:31.760533829 +0200
@@ -40,8 +40,8 @@
#define PATH_MAX 4096
#define MAX_LINE_LEN 5000
-// CAP_WAKE_ALARM
-#define CAP_MAX 35
+// CAP_BLOCK_SUSPEND
+#define CAP_MAX 36
#define MAX_INCLUDE_DEPTH 20
#define MAX_NEST_DEPTH 8
Unfortunately it also means, that an updated policy cannot be loaded with a prior gradm after the upgrade...
Regards: Dw.