commit: 79c6971616012abf80e22b1678be2826a2860b42
Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org>
AuthorDate: Wed Jan 15 21:01:08 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sat Feb 15 07:32:05 2020 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79c69716
usermanage: allow groupadd to lookup dynamic users from systemd
On a Debian 10 test virtual machine, when installing packages adds a
group, the following AVC occurs:
type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.systemd1.Manager
member=LookupDynamicUserByName dest=org.freedesktop.systemd1
spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t
tcontext=system_u:system_r:init_t tclass=dbus permissive=1
exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?'
Allow groupadd to use nss-systemd, which calls DBUS method
LookupDynamicUserByName().
Signed-off-by: Nicolas Iooss <nicolas.iooss <AT> m4x.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/admin/usermanage.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/admin/usermanage.te
b/policy/modules/admin/usermanage.te
index 3605da43..ef18fd64 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -277,6 +277,10 @@ optional_policy(`
rpm_rw_pipes(groupadd_t)
')
+optional_policy(`
+ systemd_use_nss(groupadd_t)
+')
+
optional_policy(`
unconfined_use_fds(groupadd_t)
')
