36 lines
1.0 KiB
Diff
36 lines
1.0 KiB
Diff
From 3b826a9f34d86388fde3a07a9dcfeccdc762bafe Mon Sep 17 00:00:00 2001
|
|
From: Zdenek Pytela <zpytela@redhat.com>
|
|
Date: Mon, 20 Dec 2021 11:47:29 +0100
|
|
Subject: [PATCH] Allow sudodomains execute passwd in the passwd domain
|
|
|
|
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/3b826a9f34d86388fde3a07a9dcfeccdc762bafe
|
|
Conflict: NA
|
|
|
|
When an unprivileged user in the sysadm_r role executes passwd
|
|
through sudo, it transitions into sysadm_sudo_t domain by default.
|
|
With this commit, the process transitions back to sysadm_t.
|
|
|
|
Resolves: rhbz#1943572
|
|
Signed-off-by: lujie54 <lujie54@huawei.com>
|
|
---
|
|
policy/modules/admin/sudo.if | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
|
|
index e79eef7..356b150 100644
|
|
--- a/policy/modules/admin/sudo.if
|
|
+++ b/policy/modules/admin/sudo.if
|
|
@@ -98,6 +98,9 @@ template(`sudo_role_template',`
|
|
kerberos_read_config($1_sudo_t)
|
|
')
|
|
|
|
+ optional_policy(`
|
|
+ usermanage_domtrans_passwd($1_sudo_t)
|
|
+ ')
|
|
')
|
|
|
|
########################################
|
|
--
|
|
1.8.3.1
|
|
|