comments

2025-02-09 01:08:28 -05:00 · 2025-01-20 04:29:42 -05:00 · 2025-01-20 04:29:42 -05:00 · 1b4d1edfc3
commit 1b4d1edfc3
parent 51c7010e8f
5 changed files with 7 additions and 3 deletions
--- a/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_policykit.conf
@ -5,12 +5,10 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.

+## user-sysmaint-split hardens this further.
 /usr/bin/pkexec exactwhitelist
 /usr/bin/pkexec.security-misc-orig exactwhitelist

-## TODO: research
-## TODO: Should be handled in user-sysmaint-split?
-##
 ## Required for PolicyKit (Polkit) to function.
 ##
 ## https://polkit-devel.freedesktop.narkive.com/zXO4yEg7/documentation-on-polkit-agent-helper-1-and-suid#
@ -24,4 +22,6 @@
 ## matches both:
 ## - /usr/lib/policykit-1/polkit-agent-helper-1
 ## - /lib/policykit-1/polkit-agent-helper-1
+##
+## user-sysmaint-split hardens this further.
 polkit-agent-helper-1 matchwhitelist
--- a/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_postfix.conf
@ -5,5 +5,6 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.

+## TODO: research and document
 postqueue matchwhitelist
 postdrop matchwhitelist
--- a/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_selinux.conf
@ -5,4 +5,5 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.

+## TODO: research and document
 /utempter/utempter matchwhitelist
--- a/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_spice.conf
@ -5,4 +5,5 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.

+## TODO: research and document
 spice-client-glib-usb-acl-helper matchwhitelist
--- a/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf
+++ b/usr/lib/permission-hardener.d/25_default_whitelist_sudo.conf
@ -5,4 +5,5 @@
 ## "/usr/local/etc/permission-hardener.d/20_user.conf" for your custom
 ## configuration. When security-misc is updated, this file may be overwritten.

+## user-sysmaint-split hardens this further.
 /usr/bin/sudo exactwhitelist