packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

allow login_pgm setcap permission

Browse Source
This commit is contained in:
Huaxin Lu 2023-03-29 16:41:00 +08:00
parent 6dfc00001a
commit de38b55dfe
2 changed files with 47 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
Allow-login_pgm-setcap-permission.patch Normal file
View File

@ -0,0 +1,42 @@
From 704e79751a2219a7a1e647084be6dbf04e679bf6 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 3 Mar 2023 12:22:12 +0100
Subject: [PATCH] Allow login_pgm setcap permission
There is a pam_cap module as a part of the libcap package. When a
capability is added to the login process using pam_cap, the setcap
permission is required.
Example setup:
echo "cap_dac_read_search exampleuser" > /etc/security/capability.conf
echo "auth required pam_cap.so" >> /etc/pam.d/postlogin
Addresses the following AVC denial:
type=PROCTITLE msg=audit(03/03/2023 06:30:19.302:505) : proctitle=sshd: exampleuser [priv]
type=SYSCALL msg=audit(03/03/2023 06:30:19.302:505) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x55b8338dc6f4 a1=0x55b8338dc6fc a2=0x55b8338dc6fc a3=0x55b83388d010 items=0 ppid=1350 pid=1357 auid=exampleuser uid=root gid=exampleuser euid=root suid=root fsuid=root egid=exampleuser sgid=exampleuser fsgid=exampleuser tty=(none) ses=7 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(03/03/2023 06:30:19.302:505) : avc: denied { setcap } for pid=1357 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
Resolves: rhbz#2172541
Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
---
policy/modules/system/authlogin.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index feabf67ab..2c3628a31 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -593,7 +593,7 @@ allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
allow login_pgm self:netlink_selinux_socket create_socket_perms;
allow login_pgm self:capability ipc_lock;
dontaudit login_pgm self:capability net_admin;
-allow login_pgm self:process setkeycreate;
+allow login_pgm self:process { setcap setkeycreate };
allow login_pgm self:key manage_key_perms;
userdom_manage_all_users_keys(login_pgm)
allow login_pgm nsswitch_domain:key manage_key_perms;
--
2.33.0

6
selinux-policy.spec
View File

@ -12,7 +12,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 38.6
Release: 3
Release: 4
License: GPLv2+
URL: https://github.com/fedora-selinux/selinux-policy/
@ -63,6 +63,7 @@ Patch7: add-avc-for-os-1.patch
Patch8: allow-rpcbind-to-bind-all-port.patch
Patch9: add-avc-for-systemd-journald.patch
Patch10: add-avc-for-systemd.patch
Patch11: Allow-login_pgm-setcap-permission.patch
Patch9000: add-qemu_exec_t-for-stratovirt.patch
Patch9001: fix-context-of-usr-bin-rpmdb.patch
@ -742,6 +743,9 @@ exit 0
%endif
%changelog
* Wed Mar 29 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-4
- allow login_pgm setcap permission
* Mon Mar 20 2023 jinlun<jinlun@huawei.com> - 38.6-3
- Don't allow kernel_t to execute bin_t/usr_t binaries without a transition