111 lines
2.6 KiB
Diff
111 lines
2.6 KiB
Diff
From e4184b665f1ca1f86fb7554095a73a71ad4a46ef Mon Sep 17 00:00:00 2001
|
|
From: guoxiaoqi <guoxiaoqi2@huawei.com>
|
|
Date: Tue, 25 Feb 2020 18:30:13 +0800
|
|
Subject: [PATCH] add allow to be access to sssd dir and file
|
|
|
|
Signed-off-by: guoxiaoqi <guoxiaoqi2@huawei.com>
|
|
---
|
|
policy/modules/admin/usermanage.te | 8 +++++
|
|
policy/modules/contrib/sssd.if | 72 ++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 80 insertions(+)
|
|
|
|
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
|
|
index 43fed66..c8580a7 100644
|
|
--- a/policy/modules/admin/usermanage.te
|
|
+++ b/policy/modules/admin/usermanage.te
|
|
@@ -663,3 +663,11 @@ optional_policy(`
|
|
optional_policy(`
|
|
stapserver_manage_lib(useradd_t)
|
|
')
|
|
+# avc for openEuler
|
|
+#sssd_var_lib_dir(groupadd_t)
|
|
+optional_policy(`
|
|
+ sssd_var_lib_map_file(groupadd_t)
|
|
+ sssd_var_lib_write_file(groupadd_t)
|
|
+ sssd_var_lib_map_file(useradd_t)
|
|
+ sssd_var_lib_write_file(useradd_t)
|
|
+')
|
|
diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
|
|
index 50eee3f..1b61ccd 100644
|
|
--- a/policy/modules/contrib/sssd.if
|
|
+++ b/policy/modules/contrib/sssd.if
|
|
@@ -576,3 +576,75 @@ interface(`sssd_admin',`
|
|
allow $1 sssd_unit_file_t:service all_service_perms;
|
|
|
|
')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow to be access to sssd lib dir.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to allow.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_var_lib_dir',`
|
|
+gen_require(`
|
|
+type sssd_var_lib_t;
|
|
+')
|
|
+
|
|
+allow $1 sssd_var_lib_t:dir { add_name write };
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow to map sssd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to allow.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_var_lib_map_file',`
|
|
+gen_require(`
|
|
+type sssd_var_lib_t;
|
|
+')
|
|
+
|
|
+allow $1 sssd_var_lib_t:file map;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow to write sssd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to allow.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_var_lib_write_file',`
|
|
+gen_require(`
|
|
+type sssd_var_lib_t;
|
|
+')
|
|
+
|
|
+allow $1 sssd_var_lib_t:file write;
|
|
+')
|
|
+
|
|
+########################################
|
|
+## <summary>
|
|
+## Allow to create sssd lib files.
|
|
+## </summary>
|
|
+## <param name="domain">
|
|
+## <summary>
|
|
+## Domain to allow.
|
|
+## </summary>
|
|
+## </param>
|
|
+#
|
|
+interface(`sssd_var_lib_create_file',`
|
|
+gen_require(`
|
|
+type sssd_var_lib_t;
|
|
+')
|
|
+
|
|
+allow $1 sssd_var_lib_t:file create;
|
|
+')
|
|
--
|
|
1.8.3.1
|
|
|