加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
backport-Allow-sssd_kcm-read-and-write-z90crypt-device.patch 1.98 KB
一键复制 编辑 原始数据 按行查看 历史
lujie54 提交于 2022-09-13 19:52 . update upstream patches
From 80e7516c09c41c989176947265df41e39e94a31a Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 10 Jan 2022 17:15:56 +0100
Subject: [PATCH] Allow sssd_kcm read and write z90crypt device
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/80e7516c09c41c989176947265df41e39e94a31a
Conflict: NA
This permission is required on s390x systems with the Crypto Express
adapter card. The z90crypt device driver acts as the interface to the
PCI cryptography hardware and performs asynchronous encryption
operations (RSA) as used during the SSL handshake.
Addresses the following AVC denial:
PROCTITLE msg=audit(26.11.2021 17:43:18.641:78) : proctitle=/usr/libexec/sssd/sssd_kcm --uid 0 --gid 0 --logger=files
type=AVC msg=audit(26.11.2021 17:43:18.641:78) : avc: denied { read write } for pid=1724 comm=sssd_kcm name=z90crypt dev="devtmpfs" ino=111 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:crypt_device_t:s0 tclass=chr_file permissive=0
type=SYSCALL msg=audit(26.11.2021 17:43:18.641:78) : arch=s390x syscall=openat success=no exit=EACCES(Operace zamítnuta) a0=0xffffffffffffff9c a1=0x3ffa56906e6 a2=O_RDWR a3=0x0 items=0 ppid=1 pid=1724 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=sssd_kcm exe=/usr/libexec/sssd/sssd_kcm subj=system_u:system_r:sssd_t:s0 key=(null)
Resolves: rhbz#2026974
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/sssd.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index b510dca..e5c8673 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -106,6 +106,7 @@ corecmd_exec_bin(sssd_t)
dev_read_urand(sssd_t)
dev_read_sysfs(sssd_t)
+dev_rw_crypto(sssd_t)
domain_read_all_domains_state(sssd_t)
domain_obj_id_change_exemption(sssd_t)
--
1.8.3.1
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化