From 56b8633a6b23a81496401c8bbbcc04b25ebf19b2 Mon Sep 17 00:00:00 2001 From: Stefano Brivio Date: Tue, 15 Aug 2023 19:37:46 +0200 Subject: selinux: Update policy to fix user/group settings Somehow most of this used to work on older kernels, but now we need to explicitly permit setuid, setgid, and setcap capabilities, as well as read-only access to passwd (as we support running under a given login name) and sssd library facilities. Signed-off-by: Stefano Brivio --- contrib/selinux/pasta.te | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) (limited to 'contrib/selinux/pasta.te') diff --git a/contrib/selinux/pasta.te b/contrib/selinux/pasta.te index 645ccee..ee82b0f 100644 --- a/contrib/selinux/pasta.te +++ b/contrib/selinux/pasta.te @@ -79,6 +79,7 @@ require { type shell_exec_t; type init_t; + class capability { sys_tty_config setuid setgid }; class cap_userns { setpcap sys_admin sys_ptrace net_bind_service net_admin }; class user_namespace create; } @@ -103,10 +104,13 @@ allow unconfined_t pasta_t : process transition ; init_daemon_domain(pasta_t, pasta_exec_t) -allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource }; +allow pasta_t self:capability { setpcap net_bind_service sys_tty_config dac_read_search net_admin sys_resource setuid setgid }; allow pasta_t self:cap_userns { setpcap sys_admin sys_ptrace net_admin net_bind_service }; allow pasta_t self:user_namespace create; +allow pasta_t passwd_file_t:file read_file_perms; +sssd_search_lib(pasta_t) + allow pasta_t bin_t:file { execute execute_no_trans map }; allow pasta_t nsfs_t:file { open read }; @@ -162,7 +166,7 @@ allow pasta_t unconfined_t:dir search; allow pasta_t unconfined_t:file read; allow pasta_t unconfined_t:lnk_file read; allow pasta_t passwd_file_t:file { getattr open read }; -allow pasta_t self:process setpgid; +allow pasta_t self:process { setpgid setcap }; allow pasta_t shell_exec_t:file { execute execute_no_trans map }; allow pasta_t sssd_var_lib_t:dir search; -- cgit v1.2.3