rpms / ipa

Clone
Source Code
GIT

Blame SOURCES/0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-beta c8-beta-stream-DL1 c8-beta-stream-client c8-stream-DL1 c8-stream-client c8s-stream-DL1 c8s-stream-client c9 c9-beta
  1.   1289447aeff89b346721fcfa3c2b311ff624c847
  2.   SOURCES
  3.   0005-selinux-don-t-audit-rules-deny-fetching-trust-topology_rhbz#1845596.patch
Blob History Raw
2ff659 
From 42dd1628a1211363c860917e474ecc5b9c1fdb84 Mon Sep 17 00:00:00 2001
2ff659 
From: Alexander Bokovoy <abokovoy@redhat.com>
2ff659 
Date: Thu, 2 Jul 2020 15:50:00 +0300
2ff659 
Subject: [PATCH] selinux: allow oddjobd to set up ipa_helper_t context for
2ff659 
 execution
2ff659
2ff659 
On Fedora 32+ and RHEL 8.3.0+ execution of ipa_helper_t context requires
2ff659 
SELinux policy permission to use 'noatsecure'. This comes most likely
2ff659 
from execve() setup by glibc.
2ff659
2ff659 
Add SELinux interface ipa_helper_noatsecure() that can be called by
2ff659 
oddjob's SELinux policy definition.
2ff659
2ff659 
In addition, if ipa_helper_t runs ipa-getkeytab, libkrb5 will attempt to
2ff659 
access SELinux configuration and produce AVC for that. Allow reading
2ff659 
general userspace SELinux configuration.
2ff659
2ff659 
Fixes: https://pagure.io/freeipa/issue/8395
2ff659 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2ff659 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2ff659 
---
2ff659 
 selinux/ipa.if | 18 ++++++++++++++++++
2ff659 
 selinux/ipa.te |  1 +
2ff659 
 2 files changed, 19 insertions(+)
2ff659
2ff659 
diff --git a/selinux/ipa.if b/selinux/ipa.if
2ff659 
index ea971b8fa..783db8b78 100644
2ff659 
--- a/selinux/ipa.if
2ff659 
+++ b/selinux/ipa.if
2ff659 
@@ -419,3 +419,21 @@ ifndef(`dirsrv_systemctl',`
2ff659 
         ps_process_pattern($1, dirsrv_t)
2ff659 
     ')
2ff659 
 ')
2ff659 
+
2ff659 
+
2ff659 
+########################################
2ff659 
+## <summary>
2ff659 
+##	Allow ipa_helper noatsecure
2ff659 
+## </summary>
2ff659 
+## <param name="domain">
2ff659 
+##	<summary>
2ff659 
+##	Domain allowed access.
2ff659 
+##	</summary>
2ff659 
+## </param>
2ff659 
+#
2ff659 
+interface(`ipa_helper_noatsecure',`
2ff659 
+    gen_require(`
2ff659 
+	type ipa_helper_t;
2ff659 
+    ')
2ff659 
+    allow $1 ipa_helper_t:process { noatsecure };
2ff659 
+')
2ff659 
diff --git a/selinux/ipa.te b/selinux/ipa.te
2ff659 
index 587e5e585..383979094 100644
2ff659 
--- a/selinux/ipa.te
2ff659 
+++ b/selinux/ipa.te
2ff659 
@@ -115,6 +115,7 @@ optional_policy(`
2ff659
2ff659
2ff659 
 allow ipa_helper_t self:capability { net_admin dac_read_search dac_override chown };
2ff659 
+seutil_read_config(ipa_helper_t);
2ff659
2ff659 
 #kernel bug
2ff659 
 dontaudit ipa_helper_t self:capability2  block_suspend;
2ff659 
--
2ff659 
2.26.2
2ff659
2ff659 
From 0d70addbbf2a99e7398a518bc98d5fe109469bb5 Mon Sep 17 00:00:00 2001
2ff659 
From: Alexander Bokovoy <abokovoy@redhat.com>
2ff659 
Date: Fri, 3 Jul 2020 17:20:49 +0300
2ff659 
Subject: [PATCH] selinux: support running ipa-custodia with PrivateTmp=yes
2ff659
2ff659 
Related: https://pagure.io/freeipa/issue/8395
2ff659 
Signed-off-by: Alexander Bokovoy <abokovoy@redhat.com>
2ff659 
Reviewed-By: Christian Heimes <cheimes@redhat.com>
2ff659 
---
2ff659 
 selinux/ipa.te | 4 ++++
2ff659 
 1 file changed, 4 insertions(+)
2ff659
2ff659 
diff --git a/selinux/ipa.te b/selinux/ipa.te
2ff659 
index 383979094..a3381217a 100644
2ff659 
--- a/selinux/ipa.te
2ff659 
+++ b/selinux/ipa.te
2ff659 
@@ -390,3 +390,7 @@ optional_policy(`
2ff659 
 	sssd_search_lib(ipa_custodia_t)
2ff659 
 	sssd_stream_connect(ipa_custodia_t)
2ff659 
 ')
2ff659 
+
2ff659 
+optional_policy(`
2ff659 
+       systemd_private_tmp(ipa_custodia_tmp_t)
2ff659 
+')
2ff659 
--
2ff659 
2.26.2
2ff659

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation