From 56b8633a6b23a81496401c8bbbcc04b25ebf19b2 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Tue, 15 Aug 2023 19:37:46 +0200 Subject: selinux: Update policy to fix user/group settings Somehow most of this used to work on older kernels, but now we need to explicitly permit setuid, setgid, and setcap capabilities, as well as read-only access to passwd (as we support running under a given login name) and sssd library facilities. Signed-off-by: Stefano Brivio --- contrib/selinux/passt.te | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) (limited to 'contrib/selinux/passt.te') diff --git a/contrib/selinux/passt.te b/contrib/selinux/passt.te index 5868a41..507fc89 100644 --- a/contrib/selinux/passt.te +++ b/contrib/selinux/passt.te @@ -47,9 +47,11 @@ require { type port_t; type http_port_t; + type passwd_file_t; + class netlink_route_socket { bind create nlmsg_read }; - class capability sys_tty_config; + class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace }; class user_namespace create; } @@ -89,10 +91,13 @@ logging_send_syslog_msg(passt_t) allow syslogd_t self:cap_userns sys_ptrace; allow passt_t self:process setcap; -allow passt_t self:capability { sys_tty_config setpcap net_bind_service }; +allow passt_t self:capability { sys_tty_config setpcap net_bind_service setuid setgid}; allow passt_t self:cap_userns { setpcap sys_admin sys_ptrace }; allow passt_t self:user_namespace create; +allow passt_t passwd_file_t:file read_file_perms; +sssd_search_lib(passt_t) + allow passt_t proc_net_t:file read; allow passt_t net_conf_t:file { open read }; allow passt_t net_conf_t:lnk_file read; -- cgit v1.2.3