From 6956435a4e3cc5a6f0d311f80b31abddd83d9ae5 Mon Sep 17 00:00:00 2001
From:  Patrik Koncity <pkoncity@redhat.com>
Date: Mon, 27 Jun 2022 20:37:44 +0800
Subject: [PATCH] Allow domain transition to sssd_t and role access to sssd

When installing some rpm packages, new users or
groups are added to the system using
the groupadd and useradd tools. Then the sss_cache
file with the bin_t label is run and on this file
groupadd and useradd want to setgid and this
trigger SELinux denials. Label the sss_cache binary
as sssd_exec_t and enabling the transition from
groupadd_t and useradd_t to sssd_t. Sssd policy
allowed setgid on this binary.

Reference:https://github.com/fedora-selinux/selinux-policy/commit/bcc321f1719d252b205edf89f82f578c1c309eb0
Conflict: NA

After previous fix in bugzilla arise a SELinux
error with role. Processes running under
unconfined_r do not have access to sssd_t.
Allow domain transition from rpm_script_t to
sssd_t and allow the rpm_script_roles in the
sssd domain.

Reference:https://github.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75
Conflict: NA

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690


sssd_run_sssd interface allow execute sssd in the
sssd domain, and allow the specified role
the sssd domain.

Reference:https://github.com/fedora-selinux/selinux-policy/commit/d7ef9cf83cb50b4349cb8277c2cd126c17dc629a
Conflict: NA

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/admin/usermanage.te | 18 ++++++++++--------
 policy/modules/contrib/rpm.te      |  4 ++++
 policy/modules/contrib/sssd.fc     |  1 +
 policy/modules/contrib/sssd.if     | 27 +++++++++++++++++++++++++++
 policy/modules/contrib/sssd.te     |  3 +++
 5 files changed, 45 insertions(+), 8 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 5a857e0..b945e3c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -300,10 +300,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-    sssd_manage_lib_files(groupadd_t)
-    sssd_manage_public_files(groupadd_t)
-    sssd_read_pid_files(groupadd_t)
-    sssd_signal(groupadd_t)
+	sssd_domtrans(groupadd_t)
+	sssd_manage_lib_files(groupadd_t)
+	sssd_manage_public_files(groupadd_t)
+	sssd_read_pid_files(groupadd_t)
+	sssd_signal(groupadd_t)
 ')
 
 optional_policy(`
@@ -679,10 +680,11 @@ optional_policy(`
 ')
 
 optional_policy(`
-    sssd_manage_lib_files(useradd_t)
-    sssd_manage_public_files(useradd_t)
-    sssd_read_pid_files(useradd_t)
-    sssd_signal(useradd_t)
+	sssd_domtrans(useradd_t)
+    	sssd_manage_lib_files(useradd_t)
+    	sssd_manage_public_files(useradd_t)
+    	sssd_read_pid_files(useradd_t)
+    	sssd_signal(useradd_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 9d2f4e6..3f6de12 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -481,6 +481,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	sssd_run_sssd(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
 	tzdata_domtrans(rpm_t)
 	tzdata_run(rpm_script_t, rpm_script_roles)
 ')
diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
index 2655c75..f51950d 100644
--- a/policy/modules/contrib/sssd.fc
+++ b/policy/modules/contrib/sssd.fc
@@ -3,6 +3,7 @@
 /etc/sssd(/.*)?			gen_context(system_u:object_r:sssd_conf_t,s0)
 
 /usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/sbin/sss_cache		--	gen_context(system_u:object_r:sssd_exec_t,s0)
 /usr/libexec/sssd/sssd_autofs	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 /usr/libexec/sssd/sssd_ifp	--	gen_context(system_u:object_r:sssd_exec_t,s0)
 /usr/libexec/sssd/sssd_nss	--	gen_context(system_u:object_r:sssd_exec_t,s0)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index e1ff0d7..6debe08 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -429,6 +429,33 @@ interface(`sssd_dontaudit_stream_connect',`
 
 ########################################
 ## <summary>
+##	Execute sssd in the sssd domain, and
+##	allow the specified role the sssd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`sssd_run_sssd',`
+	gen_require(`
+		type sssd_t;
+		attribute_role sssd_roles;
+	')
+
+	sssd_domtrans($1)
+	roleattribute $2 sssd_roles;
+')
+
+########################################
+## <summary>
 ##	Connect to sssd over a unix stream socket in /var/run.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index b510dca..f64472c 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -5,6 +5,8 @@ policy_module(sssd, 1.2.0)
 # Declarations
 #
 
+attribute_role sssd_roles;
+
 ## <desc>
 ##	<p>
 ##	Allow sssd read, view, and write access to kernel keys with kernel_t type
@@ -22,6 +24,7 @@ gen_tunable(sssd_connect_all_unreserved_ports, false)
 type sssd_t;
 type sssd_exec_t;
 init_daemon_domain(sssd_t, sssd_exec_t)
+role sssd_roles types sssd_t;
 
 type sssd_initrc_exec_t;
 init_script_file(sssd_initrc_exec_t)
-- 
1.8.3.1