Projects
openEuler:22.03:LTS:LoongArch
selinux-policy
_service:tar_scm_kernel_repo:backport-Allow-sys...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-Allow-sysadm_passwd_t-to-relabel-passwd-and-group-fi.patch of Package selinux-policy
From 369f900039cff9443e86fdf7254ba8b11dc6adb5 Mon Sep 17 00:00:00 2001 From: Patrik Koncity <pkoncity@redhat.com> Date: Thu, 10 Feb 2022 11:46:13 +0100 Subject: [PATCH] Allow sysadm_passwd_t to relabel passwd and group files Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/369f900039cff9443e86fdf7254ba8b11dc6adb5 Conflict: NA Vigr mechanism of editing group and passwd files work on principle of recreating the current file with new changes. Due to this mechanism is need to again relabel file with selinux label. Creating interface allowing relabel to the passwd_file_t type. Allow relabeling for sysadm_passwd_t domain. Allow dac_override permission for sysadm_passwd_t type. Signed-off-by: lujie54 <lujie54@huawei.com> --- policy/modules/admin/usermanage.te | 3 ++- policy/modules/system/authlogin.if | 20 ++++++++++++++++++++ 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 8fdbfbc..155fb68 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -433,7 +433,7 @@ optional_policy(` # Password admin local policy # -allow sysadm_passwd_t self:capability { chown dac_read_search fsetid setuid setgid sys_resource }; +allow sysadm_passwd_t self:capability { chown dac_override dac_read_search fsetid setuid setgid sys_resource }; allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; allow sysadm_passwd_t self:process { setrlimit setfscreate }; allow sysadm_passwd_t self:fd use; @@ -478,6 +478,7 @@ term_getattr_all_ptys(sysadm_passwd_t) auth_manage_passwd(sysadm_passwd_t) auth_manage_shadow(sysadm_passwd_t) auth_relabel_shadow(sysadm_passwd_t) +auth_relabelto_passwd_files(sysadm_passwd_t) auth_etc_filetrans_shadow(sysadm_passwd_t) auth_use_nsswitch(sysadm_passwd_t) diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if index ad55205..b5b3702 100644 --- a/policy/modules/system/authlogin.if +++ b/policy/modules/system/authlogin.if @@ -851,6 +851,26 @@ interface(`auth_relabel_shadow',` ####################################### ## <summary> +## Relabel to the +## password file type. +## </summary> +## <param name="domain"> +## <summary> +## Domain allowed access. +## </summary> +## </param> +# +interface(`auth_relabelto_passwd_files',` + gen_require(` + type passwd_file_t; + ') + + files_search_etc($1) + allow $1 passwd_file_t:file relabelto; +') + +####################################### +## <summary> ## Append to the login failure log. ## </summary> ## <param name="domain"> -- 1.8.3.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.