packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-rpcd_lsad-setcap-and-use-generic-ptys.patch
qsw33 703c655d68 merge patch
2023-08-24 11:33:18 +08:00

50 lines
3.3 KiB
Diff
Raw Blame History

From e1fe6ba8a75ff66e506e7d80b4d8ccb8f899ec39 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Wed, 24 May 2023 16:39:11 +0200
Subject: [PATCH] Allow rpcd_lsad setcap and use generic ptys
Allow /usr/libexec/samba/rpcd_lsad running in the winbind_rpcd_t domain
the setcap permission to use capset(2) and use generic ptys when a request
to change a password is made. Note winbind_rpcd_t is not in the daemon
attribute which is a subject of the daemons_use_tty boolean.
The commit addresses the following AVC denials:
type=PROCTITLE msg=audit(05/23/2023 15:45:49.588:911) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0
type=PATH msg=audit(05/23/2023 15:45:49.588:911) : item=0 name=/dev/pts/2 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(05/23/2023 15:45:49.588:911) : arch=x86_64 syscall=stat success=no exit=EACCES(Permission denied) a0=0x7ffce321e8c0 a1=0x7ffce321e830 a2=0x7ffce321e830 a3=0x0 items=1 ppid=129672 pid=129682 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(05/23/2023 15:45:49.588:911) : avc: denied { search } for pid=129682 comm=rpcd_lsad name=/ dev="devpts" ino=1 scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:object_r:devpts_t:s0 tclass=dir permissive=0
type=PROCTITLE msg=audit(05/24/2023 03:08:08.440:1130) : proctitle=/usr/libexec/samba/rpcd_lsad --configfile=/etc/samba/smb.conf --worker-group=2 --worker-index=0 --debuglevel=0
type=SYSCALL msg=audit(05/24/2023 03:08:08.440:1130) : arch=x86_64 syscall=capset success=no exit=EACCES(Permission denied) a0=0x561752d238b4 a1=0x561752d238bc a2=0x561752d238bc a3=0x7ffd6edcd904 items=0 ppid=164904 pid=164906 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpcd_lsad exe=/usr/libexec/samba/rpcd_lsad subj=system_u:system_r:winbind_rpcd_t:s0 key=(null)
type=AVC msg=audit(05/24/2023 03:08:08.440:1130) : avc: denied { setcap } for pid=164906 comm=rpcd_lsad scontext=system_u:system_r:winbind_rpcd_t:s0 tcontext=system_u:system_r:winbind_rpcd_t:s0 tclass=process permissive=0
Resolves: rhbz#2107106
---
policy/modules/contrib/samba.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/contrib/samba.te b/policy/modules/contrib/samba.te
index 9847d3da29..1a90ca864f 100644
--- a/policy/modules/contrib/samba.te
+++ b/policy/modules/contrib/samba.te
@@ -1173,6 +1173,7 @@ optional_policy(`
allow winbind_rpcd_t self:capability { setgid setuid };
allow winbind_rpcd_t self:key { read write };
allow winbind_rpcd_t self:netlink_route_socket create_netlink_socket_perms;
+allow winbind_rpcd_t self:process setcap;
allow winbind_rpcd_t self:unix_dgram_socket { create_socket_perms sendto };
allow winbind_rpcd_t self:unix_stream_socket connectto;
allow winbind_rpcd_t self:udp_socket create_socket_perms;
@@ -1268,6 +1269,10 @@ optional_policy(`
systemd_userdbd_stream_connect(winbind_rpcd_t)
')
+optional_policy(`
+ term_use_generic_ptys(winbind_rpcd_t)
+')
+
optional_policy(`
unconfined_dgram_send(winbind_rpcd_t)
')
Reference in New Issue View Git Blame Copy Permalink