Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add missing policies under different admin roles #854

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Add missing policies under different admin roles #854

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
595f257
lvm: allow to grant capability and create alg_socket
uudiin Dec 29, 2024
7d6325b
mount: allow mount_t to readwrite fifo file
uudiin Dec 22, 2024
796d033
authlogin: allow unix_chkpwd to run
uudiin Dec 30, 2024
2125fdc
usermanage: grant passwd_t dac_read_search capability
uudiin Dec 30, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion policy/modules/admin/usermanage.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -303,7 +303,7 @@ optional_policy(`
# Passwd local policy
#

allow passwd_t self:capability { chown dac_override fsetid setgid setuid sys_nice sys_resource };
allow passwd_t self:capability { chown dac_override dac_read_search fsetid setgid setuid sys_nice sys_resource };
dontaudit passwd_t self:capability sys_tty_config;
allow passwd_t self:process { dyntransition getattr getcap getpgid getrlimit getsched getsession noatsecure rlimitinh setcap setfscreate setkeycreate setpgid setrlimit setsched setsockcreate share siginh signal_perms transition };
allow passwd_t self:fd use;
Expand Down
2 changes: 1 addition & 1 deletion policy/modules/system/authlogin.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,7 @@ optional_policy(`
# Check password local policy
#

allow chkpwd_t self:capability { dac_override setuid };
allow chkpwd_t self:capability { dac_override dac_read_search setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };
dontaudit chkpwd_t self:process getcap;
Expand Down
3 changes: 2 additions & 1 deletion policy/modules/system/lvm.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ files_type(lvm_var_lib_t)
# DAC overrides and mknod for modifying /dev entries (vgmknodes)
# rawio needed for dmraid
# net_admin for multipath
allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
allow lvm_t self:capability { chown dac_override dac_read_search fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { setfscreate setrlimit sigchld sigkill signal signull sigstop };
# LVM will complain a lot if it cannot set its priority.
Expand All @@ -65,6 +65,7 @@ allow lvm_t self:socket create_stream_socket_perms;
allow lvm_t self:key { search write };

allow lvm_t self:unix_stream_socket { connectto create_stream_socket_perms };
allow lvm_t self:alg_socket create_socket_perms;

manage_dirs_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
manage_files_pattern(lvm_t, lvm_tmp_t, lvm_tmp_t)
Expand Down
1 change: 1 addition & 0 deletions policy/modules/system/mount.te
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ dontaudit mount_t self:process setrlimit;

allow mount_t mount_tmp_t:file manage_file_perms;
allow mount_t mount_tmp_t:dir manage_dir_perms;
allow mount_t self:fifo_file rw_fifo_file_perms;

can_exec(mount_t, mount_exec_t)

Expand Down
Loading