78 lines
2.6 KiB
Diff
78 lines
2.6 KiB
Diff
From 369f900039cff9443e86fdf7254ba8b11dc6adb5 Mon Sep 17 00:00:00 2001
|
|
From: Patrik Koncity <pkoncity@redhat.com>
|
|
Date: Thu, 10 Feb 2022 11:46:13 +0100
|
|
Subject: [PATCH] Allow sysadm_passwd_t to relabel passwd and group files
|
|
|
|
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/369f900039cff9443e86fdf7254ba8b11dc6adb5
|
|
Conflict: NA
|
|
|
|
Vigr mechanism of editing group and passwd
|
|
files work on principle of recreating the current
|
|
file with new changes. Due to this mechanism is
|
|
need to again relabel file with selinux label.
|
|
Creating interface allowing relabel to the passwd_file_t
|
|
type. Allow relabeling for sysadm_passwd_t domain.
|
|
Allow dac_override permission for sysadm_passwd_t type.
|
|
|
|
Signed-off-by: lujie54 <lujie54@huawei.com>
|
|
---
|
|
policy/modules/admin/usermanage.te | 3 ++-
|
|
policy/modules/system/authlogin.if | 20 ++++++++++++++++++++
|
|
2 files changed, 22 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
|
index 8fdbfbc..155fb68 100644
|
|
--- a/policy/modules/admin/usermanage.te
|
|
+++ b/policy/modules/admin/usermanage.te
|
|
@@ -433,7 +433,7 @@ optional_policy(`
|
|
# Password admin local policy
|
|
#
|
|
|
|
-allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource };
|
|
+allow sysadm_passwd_t self:capability { chown dac_override dac_read_search fsetid setuid setgid sys_resource };
|
|
allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
|
|
allow sysadm_passwd_t self:process { setrlimit setfscreate };
|
|
allow sysadm_passwd_t self:fd use;
|
|
@@ -478,6 +478,7 @@ term_getattr_all_ptys(sysadm_passwd_t)
|
|
auth_manage_passwd(sysadm_passwd_t)
|
|
auth_manage_shadow(sysadm_passwd_t)
|
|
auth_relabel_shadow(sysadm_passwd_t)
|
|
+auth_relabelto_passwd_files(sysadm_passwd_t)
|
|
auth_etc_filetrans_shadow(sysadm_passwd_t)
|
|
auth_use_nsswitch(sysadm_passwd_t)
|
|
|
|
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
|
|
index ad55205..b5b3702 100644
|
|
--- a/policy/modules/system/authlogin.if
|
|
+++ b/policy/modules/system/authlogin.if
|
|
@@ -851,6 +851,26 @@ interface(`auth_relabel_shadow',`
|
|
|
|
#######################################
|
|
## <summary>
|
|
+## Relabel to the
|
|
+## password file type.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain allowed access.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`auth_relabelto_passwd_files',`
|
|
+ gen_require(`
|
|
+ type passwd_file_t;
|
|
+ ')
|
|
+
|
|
+ files_search_etc($1)
|
|
+ allow $1 passwd_file_t:file relabelto;
|
|
+')
|
|
+
|
|
+#######################################
|
|
+## <summary>
|
|
## Append to the login failure log.
|
|
## </summary>
|
|
## <param name="domain">
|
|
--
|
|
1.8.3.1
|
|
|