diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch | 71 |
1 files changed, 0 insertions, 71 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch b/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch deleted file mode 100644 index 9465a3e..0000000 --- a/recipes-security/refpolicy/refpolicy/0037-policy-modules-admin-usermanage-allow-useradd-to-rel.patch +++ /dev/null | |||
@@ -1,71 +0,0 @@ | |||
1 | From 07866ad826b299194c1bfd7978e5077dde72a68e Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Mon, 11 Oct 2021 10:10:10 +0800 | ||
4 | Subject: [PATCH] policy/modules/admin/usermanage: allow useradd to relabel | ||
5 | user home files | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { relabelfrom } for pid=491 comm="useradd" name=".bashrc" | ||
9 | dev="vda" ino=12641 scontext=root:sysadm_r:useradd_t | ||
10 | tcontext=user_u:object_r:user_home_t tclass=file permissive=0 | ||
11 | |||
12 | Upstream-Status: Inappropriate [embedded specific] | ||
13 | |||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/admin/usermanage.te | 2 ++ | ||
17 | policy/modules/system/userdomain.if | 18 ++++++++++++++++++ | ||
18 | 2 files changed, 20 insertions(+) | ||
19 | |||
20 | diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te | ||
21 | index 98646b4b4..50c479498 100644 | ||
22 | --- a/policy/modules/admin/usermanage.te | ||
23 | +++ b/policy/modules/admin/usermanage.te | ||
24 | @@ -496,6 +496,7 @@ files_read_etc_runtime_files(useradd_t) | ||
25 | |||
26 | fs_search_auto_mountpoints(useradd_t) | ||
27 | fs_getattr_xattr_fs(useradd_t) | ||
28 | +fs_search_tmpfs(useradd_t) | ||
29 | |||
30 | mls_file_upgrade(useradd_t) | ||
31 | |||
32 | @@ -541,6 +542,7 @@ userdom_home_filetrans_user_home_dir(useradd_t) | ||
33 | userdom_manage_user_home_content_dirs(useradd_t) | ||
34 | userdom_manage_user_home_content_files(useradd_t) | ||
35 | userdom_user_home_dir_filetrans_user_home_content(useradd_t, notdevfile_class_set) | ||
36 | +userdom_relabel_user_home_content_files(useradd_t) | ||
37 | |||
38 | optional_policy(` | ||
39 | mta_manage_spool(useradd_t) | ||
40 | diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if | ||
41 | index 22b3c1bf7..ec625170d 100644 | ||
42 | --- a/policy/modules/system/userdomain.if | ||
43 | +++ b/policy/modules/system/userdomain.if | ||
44 | @@ -2362,6 +2362,24 @@ interface(`userdom_dontaudit_relabel_user_home_content_files',` | ||
45 | dontaudit $1 user_home_t:file relabel_file_perms; | ||
46 | ') | ||
47 | |||
48 | +######################################## | ||
49 | +## <summary> | ||
50 | +## Relabel user home files. | ||
51 | +## </summary> | ||
52 | +## <param name="domain"> | ||
53 | +## <summary> | ||
54 | +## Domain allowed access. | ||
55 | +## </summary> | ||
56 | +## </param> | ||
57 | +# | ||
58 | +interface(`userdom_relabel_user_home_content_files',` | ||
59 | + gen_require(` | ||
60 | + type user_home_t; | ||
61 | + ') | ||
62 | + | ||
63 | + allow $1 user_home_t:file relabel_file_perms; | ||
64 | +') | ||
65 | + | ||
66 | ######################################## | ||
67 | ## <summary> | ||
68 | ## Read user home subdirectory symbolic links. | ||
69 | -- | ||
70 | 2.17.1 | ||
71 | |||