packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-systemd-userdbd-the-sys_resource-capability.patch
qsw33 703c655d68 merge patch
2023-08-24 11:33:18 +08:00

59 lines
3.6 KiB
Diff
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

From a266ee5b8b29d8f64a51cc408d558ae92c5e86ee Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 4 Jan 2023 14:16:56 +0100
Subject: [PATCH] Allow systemd-userdbd the sys_resource capability
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This permission is required for the process be able to set its
arg start and end address, refer to prctl(2):
PR_SET_MM (since Linux 3.3)
Modify certain kernel memory map descriptor fields of the calling
process. Usually these fields are set by the kernel and dynamic loader
(see ld.so(8) for more information) and a regular application should not
use this feature. However, there are cases, such as self-modifying pro
grams, where a program might find it useful to change its own memory
map.
The calling process must have the CAP_SYS_RESOURCE capability. The
value in arg2 is one of the options below, while arg3 provides a new
value for the option. The arg4 and arg5 arguments must be zero if un
used.
PR_SET_MM_ARG_START
Set the address above which the program command line is placed.
PR_SET_MM_ARG_END
Set the address below which the program command line is placed.
Addresses the following AVC denials:
type=PROCTITLE msg=audit(01/04/2023 06:21:21.285:112) : proctitle=(sd-worker)
type=SYSCALL msg=audit(01/04/2023 06:21:21.285:112) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x8 a2=0x7fa791901000 a3=0x0 items=0 ppid=1367 pid=1384 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=(sd-worker) exe=/usr/lib/systemd/systemd-userdbd subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
type=AVC msg=audit(01/04/2023 06:21:21.285:112) : avc: denied { sys_resource } for pid=1384 comm=(sd-worker) capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1
type=PROCTITLE msg=audit(01/04/2023 06:21:23.761:156) : proctitle=systemd-userwork: processing...
type=SYSCALL msg=audit(01/04/2023 06:21:23.761:156) : arch=x86_64 syscall=prctl success=yes exit=0 a0=PR_SET_MM a1=0x9 a2=0x7fcc48186020 a3=0x0 items=0 ppid=1367 pid=1385 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-userwor exe=/usr/lib/systemd/systemd-userwork subj=system_u:system_r:systemd_userdbd_t:s0 key=(null)
type=AVC msg=audit(01/04/2023 06:21:23.761:156) : avc: denied { sys_resource } for pid=1385 comm=systemd-userwor capability=sys_resource scontext=system_u:system_r:systemd_userdbd_t:s0 tcontext=system_u:system_r:systemd_userdbd_t:s0 tclass=capability permissive=1
Resolves: rhbz#2166509
---
policy/modules/system/systemd.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 10b1b2d9b2..7c625074c4 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -1461,7 +1461,7 @@ optional_policy(`
#
# systemd_userdbd local policy
#
-allow systemd_userdbd_t self:capability dac_read_search;
+allow systemd_userdbd_t self:capability { dac_read_search sys_resource };
manage_dirs_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
manage_files_pattern(systemd_userdbd_t, systemd_userdbd_runtime_t, systemd_userdbd_runtime_t)
Reference in New Issue View Git Blame Copy Permalink