43 lines
1.4 KiB
Diff
43 lines
1.4 KiB
Diff
|
From 93e95ff085a9877e5ab981db18b2ba37409b3cb2 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
||
|
|
Date: Thu, 24 Sep 2020 13:12:54 +0200
|
||
|
|
Reference: https://github.com/fedora-selinux/selinux-policy/commit/93e95ff085a9877e5ab981db18b2ba37409b3cb2
|
||
|
|
Conflict: NA
|
||
|
|
Subject: [PATCH] Allow domain write to an automount unnamed pipe
|
||
|
|
|
||
|
|
With the kernel commit 13c164b1a186 ("autofs: switch to kernel_write"),
|
||
|
|
an additional LSM permission check is done when a process tries to
|
||
|
|
access a directory on an autofs volume, which has not been mounted yet,
|
||
|
|
and it results in a write operation to the automount pipe.
|
||
|
|
|
||
|
|
This commit allows any domain write to the unnamed pipe kernel uses to
|
||
|
|
communicate with automount to service the directory access request and
|
||
|
|
should be considered a temporary workaround until a different
|
||
|
|
implementation in kernel is found.
|
||
|
|
|
||
|
|
Resolves: rhbz#1874338
|
||
|
|
---
|
||
|
|
policy/modules/kernel/domain.te | 6 ++++++
|
||
|
|
1 file changed, 6 insertions(+)
|
||
|
|
|
||
|
|
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
|
||
|
|
index b883be0..c77a6fe 100644
|
||
|
|
--- a/policy/modules/kernel/domain.te
|
||
|
|
+++ b/policy/modules/kernel/domain.te
|
||
|
|
@@ -570,6 +570,12 @@ optional_policy(`
|
||
|
|
')
|
||
|
|
|
||
|
|
optional_policy(`
|
||
|
|
+ # A workaround to handle additional permissions check
|
||
|
|
+ # introduced as an involuntary result of a kernel change
|
||
|
|
+ automount_write_pipes(domain)
|
||
|
|
+')
|
||
|
|
+
|
||
|
|
+optional_policy(`
|
||
|
|
sosreport_append_tmp_files(domain)
|
||
|
|
')
|
||
|
|
|
||
|
|
--
|
||
|
|
1.8.3.1
|
||
|
|
|