packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow chage domtrans to sssd

Browse Source
This commit is contained in:
wxdl 2022-08-18 11:42:50 +08:00
parent 634a717a51
commit ef438f32fe
2 changed files with 38 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

33
backport-Allow-chage-domtrans-to-sssd.patch Normal file
View File

@ -0,0 +1,33 @@
From f540263f5ffcf315b970ca6428b2f04ff5c13f59 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 16 Feb 2022 16:57:08 +0100
Subject: [PATCH] Allow chage domtrans to sssd
Addresses the following AVC denial:
type=PROCTITLE msg=audit(02/15/2022 16:04:12.036:1591) : proctitle=chage -d 0 user
type=PATH msg=audit(02/15/2022 16:04:12.036:1591) : item=0 name=/usr/sbin/sss_cache inode=8920535 dev=fd:02 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sssd_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/15/2022 16:04:12.036:1591) : cwd=/root
type=SYSCALL msg=audit(02/15/2022 16:04:12.036:1591) : arch=x86_64 syscall=execve success=no exit=EACCES(Permission denied) a0=0x55a73e1a7250 a1=0x7ffeecce2690 a2=0x7ffeecce2688 a3=0x7f125fce4840 items=1 ppid=104530 pid=104533 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=127 comm=chage exe=/usr/bin/chage subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/15/2022 16:04:12.036:1591) : avc: denied { execute } for pid=104533 comm=chage name=sss_cache dev="vda2" ino=8920535 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sssd_exec_t:s0 tclass=file permissive=0
Resolves: rhbz#2054718
---
policy/modules/admin/usermanage.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 155fb68..6640310 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -422,6 +422,7 @@ optional_policy(`
')
optional_policy(`
+ sssd_domtrans(passwd_t)
sssd_manage_lib_files(passwd_t)
sssd_manage_public_files(passwd_t)
sssd_read_pid_files(passwd_t)
--
1.8.3.1

6
selinux-policy.spec
View File

@ -12,7 +12,7 @@
Summary: SELinux policy configuration
Name: selinux-policy
Version: 35.5
Release: 6
Release: 7
License: GPLv2+
URL: https://github.com/fedora-selinux/selinux-policy/
@ -65,6 +65,7 @@ Patch9: add-avc-for-systemd-journald.patch
Patch10: add-avc-for-systemd.patch
Patch6000: backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch
Patch6001: backport-Allow-chage-domtrans-to-sssd.patch
Patch9000: add-qemu_exec_t-for-stratovirt.patch
Patch9001: fix-context-of-usr-bin-rpmdb.patch
@ -735,6 +736,9 @@ exit 0
%endif
%changelog
* Thu Aug 18 2022 xuwenlong <xuwenlong16@huawei.com> - 35.5-7
- Allow chage domtrans to sssd
* Mon Jun 27 2022 lujie <lujie54@huawei.com> - 35.5-6
- Allow domain transition to sssd_t and role access to sssd