!216 allow login_pgm setcap permission

From: @HuaxinLuGitee Reviewed-by: @zhujianwei001 Signed-off-by: @zhujianwei001
2023-03-30 01:20:47 +00:00 · 2023-03-30 01:20:47 +00:00 · de81d60d92
commit de81d60d92
parent 6dfc00001a de38b55dfe
2 changed files with 47 additions and 1 deletions
--- a/Allow-login_pgm-setcap-permission.patch
+++ b/Allow-login_pgm-setcap-permission.patch
@ -0,0 +1,42 @@
+From 704e79751a2219a7a1e647084be6dbf04e679bf6 Mon Sep 17 00:00:00 2001
+From: Zdenek Pytela <zpytela@redhat.com>
+Date: Fri, 3 Mar 2023 12:22:12 +0100
+Subject: [PATCH] Allow login_pgm setcap permission
+
+There is a pam_cap module as a part of the libcap package. When a
+capability is added to the login process using pam_cap, the setcap
+permission is required.
+
+Example setup:
+
+ echo "cap_dac_read_search exampleuser" > /etc/security/capability.conf
+ echo "auth required pam_cap.so" >> /etc/pam.d/postlogin
+
+Addresses the following AVC denial:
+
+type=PROCTITLE msg=audit(03/03/2023 06:30:19.302:505) : proctitle=sshd: exampleuser [priv]
+type=SYSCALL msg=audit(03/03/2023 06:30:19.302:505) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x55b8338dc6f4 a1=0x55b8338dc6fc a2=0x55b8338dc6fc a3=0x55b83388d010 items=0 ppid=1350 pid=1357 auid=exampleuser uid=root gid=exampleuser euid=root suid=root fsuid=root egid=exampleuser sgid=exampleuser fsgid=exampleuser tty=(none) ses=7 comm=sshd exe=/usr/sbin/sshd subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
+type=AVC msg=audit(03/03/2023 06:30:19.302:505) : avc:  denied  { setcap } for  pid=1357 comm=sshd scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=process permissive=0
+
+Resolves: rhbz#2172541
+Signed-off-by: Huaxin Lu <luhuaxin1@huawei.com>
+---
+ policy/modules/system/authlogin.te | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index feabf67ab..2c3628a31 100644
+--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
+@@ -593,7 +593,7 @@ allow login_pgm self:netlink_kobject_uevent_socket create_socket_perms;
+ allow login_pgm self:netlink_selinux_socket create_socket_perms; 
+ allow login_pgm self:capability ipc_lock;
+ dontaudit login_pgm self:capability net_admin;
+-allow login_pgm self:process setkeycreate;
+allow login_pgm self:process { setcap setkeycreate };
+ allow login_pgm self:key manage_key_perms;
+ userdom_manage_all_users_keys(login_pgm)
+ allow login_pgm nsswitch_domain:key manage_key_perms;
+-- 
+2.33.0
+
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 38.6
-Release: 3
+Release: 4
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/

@ -63,6 +63,7 @@ Patch7:  add-avc-for-os-1.patch
 Patch8:  allow-rpcbind-to-bind-all-port.patch
 Patch9:  add-avc-for-systemd-journald.patch
 Patch10: add-avc-for-systemd.patch
+Patch11: Allow-login_pgm-setcap-permission.patch

 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@ -742,6 +743,9 @@ exit 0
 %endif

 %changelog
+* Wed Mar 29 2023 luhuaxin<luhuaxin1@huawei.com> - 38.6-4
+- allow login_pgm setcap permission
+
 * Mon Mar 20 2023 jinlun<jinlun@huawei.com> - 38.6-3
 - Don't allow kernel_t to execute bin_t/usr_t binaries without a transition