packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch

173 lines
5.2 KiB
Diff
Raw Blame History

From 6956435a4e3cc5a6f0d311f80b31abddd83d9ae5 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Mon, 27 Jun 2022 20:37:44 +0800
Subject: [PATCH] Allow domain transition to sssd_t and role access to sssd
When installing some rpm packages, new users or
groups are added to the system using
the groupadd and useradd tools. Then the sss_cache
file with the bin_t label is run and on this file
groupadd and useradd want to setgid and this
trigger SELinux denials. Label the sss_cache binary
as sssd_exec_t and enabling the transition from
groupadd_t and useradd_t to sssd_t. Sssd policy
allowed setgid on this binary.
Reference:https://github.com/fedora-selinux/selinux-policy/commit/bcc321f1719d252b205edf89f82f578c1c309eb0
Conflict: NA
After previous fix in bugzilla arise a SELinux
error with role. Processes running under
unconfined_r do not have access to sssd_t.
Allow domain transition from rpm_script_t to
sssd_t and allow the rpm_script_roles in the
sssd domain.
Reference:https://github.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75
Conflict: NA
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690
sssd_run_sssd interface allow execute sssd in the
sssd domain, and allow the specified role
the sssd domain.
Reference:https://github.com/fedora-selinux/selinux-policy/commit/d7ef9cf83cb50b4349cb8277c2cd126c17dc629a
Conflict: NA
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/admin/usermanage.te | 18 ++++++++++--------
policy/modules/contrib/rpm.te | 4 ++++
policy/modules/contrib/sssd.fc | 1 +
policy/modules/contrib/sssd.if | 27 +++++++++++++++++++++++++++
policy/modules/contrib/sssd.te | 3 +++
5 files changed, 45 insertions(+), 8 deletions(-)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 5a857e0..b945e3c 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -300,10 +300,11 @@ optional_policy(`
')
optional_policy(`
- sssd_manage_lib_files(groupadd_t)
- sssd_manage_public_files(groupadd_t)
- sssd_read_pid_files(groupadd_t)
- sssd_signal(groupadd_t)
+ sssd_domtrans(groupadd_t)
+ sssd_manage_lib_files(groupadd_t)
+ sssd_manage_public_files(groupadd_t)
+ sssd_read_pid_files(groupadd_t)
+ sssd_signal(groupadd_t)
')
optional_policy(`
@@ -679,10 +680,11 @@ optional_policy(`
')
optional_policy(`
- sssd_manage_lib_files(useradd_t)
- sssd_manage_public_files(useradd_t)
- sssd_read_pid_files(useradd_t)
- sssd_signal(useradd_t)
+ sssd_domtrans(useradd_t)
+ sssd_manage_lib_files(useradd_t)
+ sssd_manage_public_files(useradd_t)
+ sssd_read_pid_files(useradd_t)
+ sssd_signal(useradd_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
index 9d2f4e6..3f6de12 100644
--- a/policy/modules/contrib/rpm.te
+++ b/policy/modules/contrib/rpm.te
@@ -481,6 +481,10 @@ optional_policy(`
')
optional_policy(`
+ sssd_run_sssd(rpm_script_t, rpm_script_roles)
+')
+
+optional_policy(`
tzdata_domtrans(rpm_t)
tzdata_run(rpm_script_t, rpm_script_roles)
')
diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
index 2655c75..f51950d 100644
--- a/policy/modules/contrib/sssd.fc
+++ b/policy/modules/contrib/sssd.fc
@@ -3,6 +3,7 @@
/etc/sssd(/.*)? gen_context(system_u:object_r:sssd_conf_t,s0)
/usr/sbin/sssd -- gen_context(system_u:object_r:sssd_exec_t,s0)
+/usr/sbin/sss_cache -- gen_context(system_u:object_r:sssd_exec_t,s0)
/usr/libexec/sssd/sssd_autofs -- gen_context(system_u:object_r:sssd_exec_t,s0)
/usr/libexec/sssd/sssd_ifp -- gen_context(system_u:object_r:sssd_exec_t,s0)
/usr/libexec/sssd/sssd_nss -- gen_context(system_u:object_r:sssd_exec_t,s0)
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
index e1ff0d7..6debe08 100644
--- a/policy/modules/contrib/sssd.if
+++ b/policy/modules/contrib/sssd.if
@@ -429,6 +429,33 @@ interface(`sssd_dontaudit_stream_connect',`
########################################
## <summary>
+## Execute sssd in the sssd domain, and
+## allow the specified role the sssd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`sssd_run_sssd',`
+ gen_require(`
+ type sssd_t;
+ attribute_role sssd_roles;
+ ')
+
+ sssd_domtrans($1)
+ roleattribute $2 sssd_roles;
+')
+
+########################################
+## <summary>
## Connect to sssd over a unix stream socket in /var/run.
## </summary>
## <param name="domain">
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index b510dca..f64472c 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -5,6 +5,8 @@ policy_module(sssd, 1.2.0)
# Declarations
#
+attribute_role sssd_roles;
+
## <desc>
## <p>
## Allow sssd read, view, and write access to kernel keys with kernel_t type
@@ -22,6 +24,7 @@ gen_tunable(sssd_connect_all_unreserved_ports, false)
type sssd_t;
type sssd_exec_t;
init_daemon_domain(sssd_t, sssd_exec_t)
+role sssd_roles types sssd_t;
type sssd_initrc_exec_t;
init_script_file(sssd_initrc_exec_t)
--
1.8.3.1
Reference in New Issue View Git Blame Copy Permalink