master

分支 (14)

标签 (13)

管理

管理

master

openEuler-22.03-LTS

openEuler-22.03-LTS-Next

openEuler-22.09

openEuler-20.03-LTS-SP3

openEuler-20.03-LTS-SP1

openEuler-20.03-LTS-SP2

openEuler-21.09

openEuler-20.03-LTS

openEuler-20.03-LTS-Next

openEuler-21.03

openEuler-20.09

openEuler1.0

openEuler1.0-base

openEuler-22.09-rc5

openEuler-22.09-20220829

openEuler-22.03-LTS-20220331

openEuler-22.03-LTS-round5

openEuler-22.03-LTS-round3

openEuler-22.03-LTS-round2

openEuler-22.03-LTS-round1

openEuler-20.03-LTS-SP3-release

openEuler-20.03-LTS-SP2-20210624

openEuler-21.03-20210330

openEuler-20.09-20200929

openEuler-20.03-LTS-20200606

openEuler-20.03-LTS-tag

selinux-policy
/
backport-Allow-confined-sysadmin-to-u...

From 9eec9eea6b6b74d8835928c32467f6edd749ff0e Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Fri, 4 Feb 2022 12:04:16 +0100
Subject: [PATCH] Allow confined sysadmin to use tool vipw

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/9eec9eea6b6b74d8835928c32467f6edd749ff0e
Conflict: NA

Allow confined sysadmin to use vipw and vigr, which edits passwd,
shadow, group, gshadow.. Dontaudit manage files and dir labeled
with admin_home_t. Also vipw need to use sss_cache tool.
Allow domain transition from sysadm_passwd_t to sssd_exec_t.

Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2049018
Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/admin/usermanage.te | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index a67fcc4..8fdbfbc 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -501,6 +501,8 @@ init_dontaudit_rw_utmp(sysadm_passwd_t)
 logging_send_syslog_msg(sysadm_passwd_t)

 userdom_use_unpriv_users_fds(sysadm_passwd_t)
+userdom_dontaudit_manage_admin_dir(sysadm_passwd_t)
+userdom_dontaudit_manage_admin_files(sysadm_passwd_t)
 # user generally runs this from their home directory, so do not audit a search
 # on user home dir
 userdom_dontaudit_search_user_home_content(sysadm_passwd_t)
@@ -509,6 +511,10 @@ optional_policy(`
 	nscd_run(sysadm_passwd_t, sysadm_passwd_roles)
 ')

+optional_policy(`
+	sssd_domtrans(sysadm_passwd_t)
+')
+
 ########################################
 #
 # Useradd local policy
--
1.8.3.1