commit: d15abb028eff6a6bc5fdb026608d9f79d1bc5ee6
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Sat Nov 16 14:05:13 2024 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Dec 15 00:19:19 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d15abb02
systemd: permit sysusers to create /etc/group
audit[14480]: AVC avc: denied { create } for pid=14480
comm="systemd-sysuser" name=".#group5f44baae46cc7c1d"
scontext=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023
tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/system/systemd.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b8a52c7c8..80ad48873 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -310,6 +310,8 @@ init_daemon_domain(systemd_sysctl_t, systemd_sysctl_exec_t)
type systemd_sysusers_t;
type systemd_sysusers_exec_t;
init_system_domain(systemd_sysusers_t, systemd_sysusers_exec_t)
+# create /etc/group
+domain_obj_id_change_exemption(systemd_sysusers_t)
role systemd_sysusers_roles types systemd_sysusers_t;
type systemd_tmpfiles_t;
