!156 Allow domain transition to sssd_t and role access to sssd
From: @lujie42 Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
This commit is contained in:
openeuler-ci-bot
Gitee
commit
634a717a51
@ -0,0 +1,172 @@
|
||||
From 6956435a4e3cc5a6f0d311f80b31abddd83d9ae5 Mon Sep 17 00:00:00 2001
|
||||
From: Patrik Koncity <pkoncity@redhat.com>
|
||||
Date: Mon, 27 Jun 2022 20:37:44 +0800
|
||||
Subject: [PATCH] Allow domain transition to sssd_t and role access to sssd
|
||||
|
||||
When installing some rpm packages, new users or
|
||||
groups are added to the system using
|
||||
the groupadd and useradd tools. Then the sss_cache
|
||||
file with the bin_t label is run and on this file
|
||||
groupadd and useradd want to setgid and this
|
||||
trigger SELinux denials. Label the sss_cache binary
|
||||
as sssd_exec_t and enabling the transition from
|
||||
groupadd_t and useradd_t to sssd_t. Sssd policy
|
||||
allowed setgid on this binary.
|
||||
|
||||
Reference:https://github.com/fedora-selinux/selinux-policy/commit/bcc321f1719d252b205edf89f82f578c1c309eb0
|
||||
Conflict: NA
|
||||
|
||||
After previous fix in bugzilla arise a SELinux
|
||||
error with role. Processes running under
|
||||
unconfined_r do not have access to sssd_t.
|
||||
Allow domain transition from rpm_script_t to
|
||||
sssd_t and allow the rpm_script_roles in the
|
||||
sssd domain.
|
||||
|
||||
Reference:https://github.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75
|
||||
Conflict: NA
|
||||
|
||||
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690
|
||||
|
||||
|
||||
sssd_run_sssd interface allow execute sssd in the
|
||||
sssd domain, and allow the specified role
|
||||
the sssd domain.
|
||||
|
||||
Reference:https://github.com/fedora-selinux/selinux-policy/commit/d7ef9cf83cb50b4349cb8277c2cd126c17dc629a
|
||||
Conflict: NA
|
||||
|
||||
Signed-off-by: lujie54 <lujie54@huawei.com>
|
||||
---
|
||||
policy/modules/admin/usermanage.te | 18 ++++++++++--------
|
||||
policy/modules/contrib/rpm.te | 4 ++++
|
||||
policy/modules/contrib/sssd.fc | 1 +
|
||||
policy/modules/contrib/sssd.if | 27 +++++++++++++++++++++++++++
|
||||
policy/modules/contrib/sssd.te | 3 +++
|
||||
5 files changed, 45 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
||||
index 5a857e0..b945e3c 100644
|
||||
--- a/policy/modules/admin/usermanage.te
|
||||
+++ b/policy/modules/admin/usermanage.te
|
||||
@@ -300,10 +300,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- sssd_manage_lib_files(groupadd_t)
|
||||
- sssd_manage_public_files(groupadd_t)
|
||||
- sssd_read_pid_files(groupadd_t)
|
||||
- sssd_signal(groupadd_t)
|
||||
+ sssd_domtrans(groupadd_t)
|
||||
+ sssd_manage_lib_files(groupadd_t)
|
||||
+ sssd_manage_public_files(groupadd_t)
|
||||
+ sssd_read_pid_files(groupadd_t)
|
||||
+ sssd_signal(groupadd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
@@ -679,10 +680,11 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
- sssd_manage_lib_files(useradd_t)
|
||||
- sssd_manage_public_files(useradd_t)
|
||||
- sssd_read_pid_files(useradd_t)
|
||||
- sssd_signal(useradd_t)
|
||||
+ sssd_domtrans(useradd_t)
|
||||
+ sssd_manage_lib_files(useradd_t)
|
||||
+ sssd_manage_public_files(useradd_t)
|
||||
+ sssd_read_pid_files(useradd_t)
|
||||
+ sssd_signal(useradd_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
|
||||
index 9d2f4e6..3f6de12 100644
|
||||
--- a/policy/modules/contrib/rpm.te
|
||||
+++ b/policy/modules/contrib/rpm.te
|
||||
@@ -481,6 +481,10 @@ optional_policy(`
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
+ sssd_run_sssd(rpm_script_t, rpm_script_roles)
|
||||
+')
|
||||
+
|
||||
+optional_policy(`
|
||||
tzdata_domtrans(rpm_t)
|
||||
tzdata_run(rpm_script_t, rpm_script_roles)
|
||||
')
|
||||
diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
|
||||
index 2655c75..f51950d 100644
|
||||
--- a/policy/modules/contrib/sssd.fc
|
||||
+++ b/policy/modules/contrib/sssd.fc
|
||||
@@ -3,6 +3,7 @@
|
||||
/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
|
||||
|
||||
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
+/usr/sbin/sss_cache -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0)
|
||||
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
|
||||
index e1ff0d7..6debe08 100644
|
||||
--- a/policy/modules/contrib/sssd.if
|
||||
+++ b/policy/modules/contrib/sssd.if
|
||||
@@ -429,6 +429,33 @@ interface(`sssd_dontaudit_stream_connect',`
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
+## Execute sssd in the sssd domain, and
|
||||
+## allow the specified role the sssd domain.
|
||||
+## </summary>
|
||||
+## <param name="domain">
|
||||
+## <summary>
|
||||
+## Domain allowed to transition.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <param name="role">
|
||||
+## <summary>
|
||||
+## Role allowed access.
|
||||
+## </summary>
|
||||
+## </param>
|
||||
+## <rolecap/>
|
||||
+#
|
||||
+interface(`sssd_run_sssd',`
|
||||
+ gen_require(`
|
||||
+ type sssd_t;
|
||||
+ attribute_role sssd_roles;
|
||||
+ ')
|
||||
+
|
||||
+ sssd_domtrans($1)
|
||||
+ roleattribute $2 sssd_roles;
|
||||
+')
|
||||
+
|
||||
+########################################
|
||||
+## <summary>
|
||||
## Connect to sssd over a unix stream socket in /var/run.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
|
||||
index b510dca..f64472c 100644
|
||||
--- a/policy/modules/contrib/sssd.te
|
||||
+++ b/policy/modules/contrib/sssd.te
|
||||
@@ -5,6 +5,8 @@ policy_module(sssd, 1.2.0)
|
||||
# Declarations
|
||||
#
|
||||
|
||||
+attribute_role sssd_roles;
|
||||
+
|
||||
## <desc>
|
||||
## <p>
|
||||
## Allow sssd read, view, and write access to kernel keys with kernel_t type
|
||||
@@ -22,6 +24,7 @@ gen_tunable(sssd_connect_all_unreserved_ports, false)
|
||||
type sssd_t;
|
||||
type sssd_exec_t;
|
||||
init_daemon_domain(sssd_t, sssd_exec_t)
|
||||
+role sssd_roles types sssd_t;
|
||||
|
||||
type sssd_initrc_exec_t;
|
||||
init_script_file(sssd_initrc_exec_t)
|
||||
--
|
||||
1.8.3.1
|
||||
|
||||
@ -12,7 +12,7 @@
|
||||
Summary: SELinux policy configuration
|
||||
Name: selinux-policy
|
||||
Version: 35.5
|
||||
Release: 5
|
||||
Release: 6
|
||||
License: GPLv2+
|
||||
URL: https://github.com/fedora-selinux/selinux-policy/
|
||||
|
||||
@ -64,7 +64,7 @@ Patch8: allow-rpcbind-to-bind-all-port.patch
|
||||
Patch9: add-avc-for-systemd-journald.patch
|
||||
Patch10: add-avc-for-systemd.patch
|
||||
|
||||
#Patch6000: backport-Allow-kdump_t-net_admin-capability.patch
|
||||
Patch6000: backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch
|
||||
|
||||
Patch9000: add-qemu_exec_t-for-stratovirt.patch
|
||||
Patch9001: fix-context-of-usr-bin-rpmdb.patch
|
||||
@ -735,6 +735,9 @@ exit 0
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Mon Jun 27 2022 lujie <lujie54@huawei.com> - 35.5-6
|
||||
- Allow domain transition to sssd_t and role access to sssd
|
||||
|
||||
* Sat Jun 25 2022 luhuaxin <luhuaxin1@huawei.com> - 35.5-5
|
||||
- allow httpd to create files in /etc/httpd
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user