[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

Thu, 11 Nov 2021 13:27:47 -0800 

commit:     b90cb8704ffb2d1e57e38107076206f780ea7561
Author:     Yi Zhao <yi.zhao <AT> windriver <DOT> com>
AuthorDate: Tue Sep 28 07:46:50 2021 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Thu Nov 11 21:26:50 2021 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=b90cb870

passwd: allow passwd to map SELinux status page

We encountered a passwd runtime error with selinux 3.3:
$ passwd user1
passwd: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running'
failed.
Aborted

Fixes:
avc: denied { map } for pid=325 comm="passwd"
path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:
sysadm_r:passwd_t tcontext=system_u:object_r:security_t tclass=file
permissive=1

Signed-off-by: Yi Zhao <yi.zhao <AT> windriver.com>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/usermanage.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/usermanage.te 
b/policy/modules/admin/usermanage.te
index 19290878..ca60a09e 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -322,6 +322,7 @@ mls_file_write_all_levels(passwd_t)
 mls_file_downgrade(passwd_t)
 
 selinux_get_fs_mount(passwd_t)
+selinux_use_status_page(passwd_t)
 selinux_validate_context(passwd_t)
 selinux_compute_access_vector(passwd_t)
 selinux_compute_create_context(passwd_t)

Reply via email to