From 68df94f5e3114fcaa05209aabca3e008e5f4b167 Mon Sep 17 00:00:00 2001 From: HuaxinLuGitee <1539327763@qq.com> Date: Fri, 28 Aug 2020 22:45:33 +0800 Subject: [PATCH] add add_userman_access_run_dir.patch --- add_userman_access_run_dir.patch | 52 ++++++++++++++++++++++++++++++++ selinux-policy.spec | 6 +++- 2 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 add_userman_access_run_dir.patch diff --git a/add_userman_access_run_dir.patch b/add_userman_access_run_dir.patch new file mode 100644 index 0000000..8118121 --- /dev/null +++ b/add_userman_access_run_dir.patch @@ -0,0 +1,52 @@ +diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te +index e069cb5..43fed66 100644 +--- a/policy/modules/admin/usermanage.te ++++ b/policy/modules/admin/usermanage.te +@@ -250,6 +250,11 @@ files_relabel_etc_files(groupadd_t) + files_read_etc_files(groupadd_t) + files_read_etc_runtime_files(groupadd_t) + files_read_usr_symlinks(groupadd_t) ++files_search_pids(groupadd_t) ++files_create_var_run_dirs(groupadd_t) ++files_delete_all_pids(groupadd_t) ++allow groupadd_t var_run_t:file *; ++allow groupadd_t var_run_t:dir *; + + # Execute /usr/bin/{passwd, chfn, chsh} and /usr/sbin/{useradd, vipw}. + corecmd_exec_bin(groupadd_t) +@@ -366,6 +371,11 @@ files_read_usr_files(passwd_t) + files_search_var(passwd_t) + files_dontaudit_search_pids(passwd_t) + files_relabel_etc_files(passwd_t) ++files_search_pids(passwd_t) ++files_create_var_run_dirs(passwd_t) ++files_delete_all_pids(passwd_t) ++allow passwd_t var_run_t:file *; ++allow passwd_t var_run_t:dir *; + + term_search_ptys(passwd_t) + +@@ -486,6 +496,12 @@ userdom_use_unpriv_users_fds(sysadm_passwd_t) + # on user home dir + userdom_dontaudit_search_user_home_content(sysadm_passwd_t) + ++files_search_pids(sysadm_passwd_t) ++files_create_var_run_dirs(sysadm_passwd_t) ++files_delete_all_pids(sysadm_passwd_t) ++allow sysadm_passwd_t var_run_t:file *; ++allow sysadm_passwd_t var_run_t:dir *; ++ + optional_policy(` + nscd_run(sysadm_passwd_t, sysadm_passwd_roles) + ') +@@ -536,6 +552,10 @@ files_read_etc_runtime_files(useradd_t) + files_manage_etc_files(useradd_t) + files_create_var_lib_dirs(useradd_t) + files_rw_var_lib_dirs(useradd_t) ++files_search_pids(useradd_t) ++files_create_var_run_dirs(useradd_t) ++files_delete_all_pids(useradd_t) ++allow useradd_t var_run_t:file *; + + fs_search_auto_mountpoints(useradd_t) + fs_getattr_xattr_fs(useradd_t) diff --git a/selinux-policy.spec b/selinux-policy.spec index 979ceed..bd5444b 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -12,7 +12,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.14.2 -Release: 56 +Release: 57 License: GPLv2+ URL: https://github.com/fedora-selinux/selinux-policy/ @@ -63,6 +63,7 @@ Patch10: add-avc-for-systemd-journald.patch Patch11: add-avc-for-systemd-hostnamed-and-systemd-logind.patch Patch12: add-avc-for-systemd.patch Patch13: allow-systemd-to-mount-unlabeled-filesystemd.patch +Patch14: add_userman_access_run_dir.patch BuildArch: noarch BuildRequires: python3 gawk checkpolicy >= %{CHECKPOLICYVER} m4 policycoreutils-devel >= %{POLICYCOREUTILSVER} bzip2 gcc @@ -728,6 +729,9 @@ exit 0 %endif %changelog +* Fri Aug 28 2020 openEuler Buildteam - 3.14.2-57 +- add add_userman_access_run_dir.patch + * Mon Jul 27 2020 openEuler Buildteam - 3.14.2-56 - update selinux -- Gitee