From ef438f32fe2160f119586cd7dc2438cf3fbca606 Mon Sep 17 00:00:00 2001 From: wxdl <490514142@qq.com> Date: Thu, 18 Aug 2022 11:42:50 +0800 Subject: [PATCH] Allow chage domtrans to sssd --- backport-Allow-chage-domtrans-to-sssd.patch | 33 +++++++++++++++++++++ selinux-policy.spec | 6 +++- 2 files changed, 38 insertions(+), 1 deletion(-) create mode 100644 backport-Allow-chage-domtrans-to-sssd.patch diff --git a/backport-Allow-chage-domtrans-to-sssd.patch b/backport-Allow-chage-domtrans-to-sssd.patch new file mode 100644 index 0000000..bf39510 --- /dev/null +++ b/backport-Allow-chage-domtrans-to-sssd.patch @@ -0,0 +1,33 @@ +From f540263f5ffcf315b970ca6428b2f04ff5c13f59 Mon Sep 17 00:00:00 2001 +From: Zdenek Pytela +Date: Wed, 16 Feb 2022 16:57:08 +0100 +Subject: [PATCH] Allow chage domtrans to sssd + +Addresses the following AVC denial: + +type=PROCTITLE msg=audit(02/15/2022 16:04:12.036:1591) : proctitle=chage -d 0 user +type=PATH msg=audit(02/15/2022 16:04:12.036:1591) : item=0 name=/usr/sbin/sss_cache inode=8920535 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 +type=CWD msg=audit(02/15/2022 16:04:12.036:1591) : cwd=/root +type=SYSCALL msg=audit(02/15/2022 16:04:12.036:1591) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55a73e1a7250 a1=0x7ffeecce2690 a2=0x7ffeecce2688 a3=0x7f125fce4840 items=1 ppid=104530 pid=104533 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=127 comm=chage exe=/usr/bin/chage subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null) +type=AVC msg=audit(02/15/2022 16:04:12.036:1591) : avc: denied { execute } for pid=104533 comm=chage name=sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0 + +Resolves: rhbz#2054718 +--- + policy/modules/admin/usermanage.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index 155fb68..6640310 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -422,6 +422,7 @@ optional_policy(` + ') + + optional_policy(` ++ sssd_domtrans(passwd_t) + sssd_manage_lib_files(passwd_t) + sssd_manage_public_files(passwd_t) + sssd_read_pid_files(passwd_t) +-- +1.8.3.1 + diff --git a/selinux-policy.spec b/selinux-policy.spec index 091dbeb..5140517 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 35.5 -Release: 6 +Release: 7 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -65,6 +65,7 @@ Patch9: add-avc-for-systemd-journald.patch Patch10: add-avc-for-systemd.patch Patch6000: backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch +Patch6001: backport-Allow-chage-domtrans-to-sssd.patch Patch9000: add-qemu_exec_t-for-stratovirt.patch Patch9001: fix-context-of-usr-bin-rpmdb.patch @@ -735,6 +736,9 @@ exit 0 %endif %changelog +* Thu Aug 18 2022 xuwenlong - 35.5-7 +- Allow chage domtrans to sssd + * Mon Jun 27 2022 lujie - 35.5-6 - Allow domain transition to sssd_t and role access to sssd