Projects
openEuler:22.03:LTS:LoongArch
selinux-policy
_service:tar_scm_kernel_repo:backport-Allow-sys...
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm_kernel_repo:backport-Allow-systemd-coredump-userns-capabilities-and-root-.patch of Package selinux-policy
From 4ed22744f5a99c1f2b997b915b340de7abe8d15d Mon Sep 17 00:00:00 2001 From: Zdenek Pytela <zpytela@redhat.com> Date: Thu, 13 Jan 2022 21:08:14 +0100 Subject: [PATCH] Allow systemd-coredump userns capabilities and root mounton Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/4ed22744f5a99c1f2b997b915b340de7abe8d15d Conflict: NA systemd-coredump forks a child process to perform core file analysis (comm=(sd-parse-elf)), and before doing the actual analysis, it sets up a sandbox using mount and user namespaces. Refer to https://github.com/systemd/systemd/commit/61aea456c1 for the systemd upstream change. Resolves: rhbz#2031356 Signed-off-by: lujie54 <lujie54@huawei.com> --- policy/modules/system/systemd.te | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 5a78a8c..ea2b27e 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -1040,7 +1040,7 @@ systemd_read_efivarfs(systemd_sysctl_t) # setgid setuid - to set own credentials to match the dumped process credentials # setpcap - to drop capabilities allow systemd_coredump_t self:capability { dac_read_search net_admin setgid setpcap setuid sys_ptrace }; -allow systemd_coredump_t self:cap_userns sys_ptrace; +allow systemd_coredump_t self:cap_userns { dac_read_search dac_override sys_admin sys_ptrace }; # To set its capability set allow systemd_coredump_t self:process setcap; @@ -1067,6 +1067,8 @@ domain_read_all_domains_state(systemd_coredump_t) files_read_non_security_files(systemd_coredump_t) files_map_non_security_files(systemd_coredump_t) +files_mounton_rootfs(systemd_coredump_t) + fs_getattr_nsfs_files(systemd_coredump_t) optional_policy(` -- 1.8.3.1
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.