master

分支 (11)

标签 (5)

管理

管理

master

openEuler-21.09

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-20.03-LTS-SP2

step1-task

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

selinux-policy
/
backport-Allow-nsswitch_domain-read-c...

From d7924a942d84c255fb9d85f262fd68a9e08c2433 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Tue, 30 Mar 2021 20:54:17 +0200
Reference: https://github.com/fedora-selinux/selinux-policy/commit/d7924a942d84c255fb9d85f262fd68a9e08c2433
Conflict: NA
Subject: [PATCH] Allow nsswitch_domain read cgroup files

This permission is required when the systemd nss module is used
in nsswitch.conf for users or groups. The module checks whether
the current process is running in the root cgroup, or if rather
cgroup namespaces are in place.

Resolves: rhbz#1895061
---
 policy/modules/system/authlogin.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 068caed..0e54d0a 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -465,6 +465,8 @@ files_list_var_lib(nsswitch_domain)
 # read /etc/nsswitch.conf
 files_read_etc_files(nsswitch_domain)

+fs_read_cgroup_files(nsswitch_domain)
+
 init_stream_connectto(nsswitch_domain)

 sysnet_dns_name_resolve(nsswitch_domain)
--
1.8.3.1