From 1c0959233b2d061dffb8e6d34b4f49d664d68af9 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Fri, 9 Sep 2022 17:38:35 +0200 Subject: [PATCH] Allow utempter append to login_userdomain stream Addresses the following AVC denial: type=PROCTITLE msg=audit(23.8.2022 11:20:02.949:5147) : proctitle=/usr/libexec/utempter/utempter add :0 type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33828998 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=0 name=/usr/libexec/utempter/utempter inode=35940312 dev=fd:00 mode=file,sgid,711 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:utempter_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=EXECVE msg=audit(23.8.2022 11:20:02.949:5147) : argc=3 a0=/usr/libexec/utempter/utempter a1=add a2=:0 type=SYSCALL msg=audit(23.8.2022 11:20:02.949:5147) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x559ff13c4220 a1=0x559ff13c5170 a2=0x7ffc47314488 a3=0x8 items=2 ppid=544463 pid=544464 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=utmp sgid=utmp fsgid=utmp tty=pts17 ses=3 comm=utempter exe=/usr/libexec/utempter/utempter subj=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(23.8.2022 11:20:02.949:5147) : avc: denied { append } for pid=544464 comm=utempter path=socket:[935095] dev="sockfs" ino=935095 scontext=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 Signed-off-by: lujie42 --- policy/modules/system/authlogin.te | 1 + policy/modules/system/userdomain.if | 18 ++++++++++++++++++ 2 files changed, 19 insertions(+) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 1885fa699..feabf67ab 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -423,6 +423,7 @@ domain_use_interactive_fds(utempter_t) logging_search_logs(utempter_t) +userdom_append_stream_userdomain(utempter_t) userdom_use_inherited_user_terminals(utempter_t) # Allow utemper to write to /tmp/.xses-* userdom_write_user_tmp_files(utempter_t) diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index e14a3c58f..43192ae29 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -6637,6 +6637,24 @@ interface(`userdom_login_userdomain',` typeattribute $1 login_userdomain; ') +######################################## +## +## Append to login_userdomain stream. +## +## +## +## Domain allowed access. +## +## +# +interface(`userdom_append_stream_userdomain',` + gen_require(` + attribute login_userdomain; + ') + + allow $1 login_userdomain:unix_stream_socket { getattr append }; +') + ######################################## ## ## Do not audit attempts to check the -- 2.27.0