ipa/SOURCES/0011-Fix-AVC-denial-during-ipa-adtrust-install---add-agents_rhbz#1859213.patch

104 lines
2.8 KiB
Diff
Raw Normal View History

From c72ef1ed965aca79da4576d9579dec5459e14b99 Mon Sep 17 00:00:00 2001
From: Christian Heimes <cheimes@redhat.com>
Date: Fri, 8 May 2020 15:27:01 +0200
Subject: [PATCH] SELinux: Backport dirsrv_systemctl interface
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.if | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/selinux/ipa.if b/selinux/ipa.if
index cefae5d90..ea971b8fa 100644
--- a/selinux/ipa.if
+++ b/selinux/ipa.if
@@ -392,3 +392,30 @@ ifndef(`apache_manage_pid_files',`
manage_sock_files_pattern($1, httpd_var_run_t, httpd_var_run_t)
')
')
+
+########################################
+## <summary>
+## Execute dirsrv server in the dirsrv domain.
+## Backport from https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+ifndef(`dirsrv_systemctl',`
+ interface(`dirsrv_systemctl',`
+ gen_require(`
+ type dirsrv_unit_file_t;
+ type dirsrv_t;
+ ')
+
+ systemd_exec_systemctl($1)
+ init_reload_services($1)
+ allow $1 dirsrv_unit_file_t:file read_file_perms;
+ allow $1 dirsrv_unit_file_t:service manage_service_perms;
+
+ ps_process_pattern($1, dirsrv_t)
+ ')
+')
--
2.26.2
From f76c56c6072418c78f138678b1c4dd917fea6ee1 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 7 May 2020 16:17:12 +0200
Subject: [PATCH] Allow ipa-adtrust-install restart sssd and dirsrv services
Allow ipa_helper_t connect to init using /run/systemd/private socket.
Allow ipa_helper_t read init process state.
Allow ipa_helper_t manage sssd and dirsrv units.
See: https://bugzilla.redhat.com/show_bug.cgi?id=1820298
See: https://github.com/fedora-selinux/selinux-policy-contrib/pull/241
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
Reviewed-By: Christian Heimes <cheimes@redhat.com>
---
selinux/ipa.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/selinux/ipa.te b/selinux/ipa.te
index b1e29c8e2..587e5e585 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -147,6 +147,9 @@ auth_use_nsswitch(ipa_helper_t)
files_list_tmp(ipa_helper_t)
+init_read_state(ipa_helper_t)
+init_stream_connect(ipa_helper_t)
+
ipa_manage_pid_files(ipa_helper_t)
ipa_read_lib(ipa_helper_t)
@@ -156,6 +159,10 @@ optional_policy(`
dirsrv_stream_connect(ipa_helper_t)
')
+optional_policy(`
+ dirsrv_systemctl(ipa_helper_t)
+')
+
optional_policy(`
ldap_stream_connect(ipa_helper_t)
')
@@ -182,6 +189,7 @@ optional_policy(`
optional_policy(`
sssd_manage_lib_files(ipa_helper_t)
+ sssd_systemctl(ipa_helper_t)
')
########################################
--
2.26.2