From 3478cb66bc08866173e82fa070c160c0c03513bd Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Fri, 30 Sep 2022 16:08:55 +0200 Subject: [PATCH] Allow sss daemons read/write unnamed pipes of cloud-init The cloudform_rw_pipes() interface was added. Addresses the following AVC denials: [ 10.779755] fedora audit[812]: AVC avc: denied { read } for pid=812 comm="sss_cache" path="pipe:[18908]" dev="pipefs" ino=18908 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 [ 10.779916] fedora audit[812]: AVC avc: denied { write } for pid=812 comm="sss_cache" path="pipe:[18909]" dev="pipefs" ino=18909 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:system_r:cloud_init_t:s0 tclass=fifo_file permissive=0 Resolves: rhbz#2073265 Signed-off-by: lujie42 --- policy/modules/contrib/cloudform.if | 18 ++++++++++++++++++ policy/modules/contrib/sssd.te | 4 ++++ 2 files changed, 22 insertions(+) diff --git a/policy/modules/contrib/cloudform.if b/policy/modules/contrib/cloudform.if index 55fe0d668..4a17c4872 100644 --- a/policy/modules/contrib/cloudform.if +++ b/policy/modules/contrib/cloudform.if @@ -41,6 +41,24 @@ interface(`cloudform_init_domtrans',` domtrans_pattern($1, cloud_init_exec_t, cloud_init_t) ') +######################################## +## +## Read and write unnamed cloud-init pipes. +## +## +## +## Domain allowed access. +## +## +# +interface(`cloudform_rw_pipes',` + gen_require(` + type cloud_init_t; + ') + + allow $1 cloud_init_t:fifo_file rw_fifo_file_perms; +') + ###################################### ## ## Execute mongod in the caller domain. diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te index f5c7d980d..90d04fd91 100644 --- a/policy/modules/contrib/sssd.te +++ b/policy/modules/contrib/sssd.te @@ -185,6 +185,10 @@ optional_policy(` bind_read_cache(sssd_t) ') +optional_policy(` + cloudform_rw_pipes(sssd_t) +') + optional_policy(` dbus_system_bus_client(sssd_t) dbus_connect_system_bus(sssd_t) -- 2.27.0