代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/selinux-policy 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From b22b33e612363001d74e283e53b04192a51f7c5f Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Thu, 14 Apr 2022 19:31:18 +0200
Subject: [PATCH] Allow sssd domtrans to pkcs_slotd_t
Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/b22b33e612363001d74e283e53b04192a51f7c5f
Conflict: NA
When sssd is configured to use smart cards login, any authentication
(e.g. sudo) will raise this AVC meaning smart card login was prevented
from working:
type=AVC msg=audit(1620803381.118:24793): avc: denied { getattr } for pid=667312 comm="p11_child" path="/usr/sbin/pkcsslotd" dev="dm-1" ino=1581455 scontext=system_u:system_r:sssd_t:s0 tcontext=system_u:object_r:pkcs_slotd_exec_t:s0 tclass=file permissive=0
Sudo uses pam to authenticate a user. In pam stack, there is the sssd
pam module which talks through some IPC to sssd's p11_child.
This sssd's p11_child loads through p11-kit every pkcs11 module
installed in the system, which includes the opencryptoki pkcs11 module.
Opencryptoki pkcs11 module talks through some IPC to pkcsslotd daemon,
handling the communication with HW devices or soft tokens.
The pkcs_domtrans() interface was added.
Resolves: rhbz#1959705
Signed-off-by: lujie54 <lujie54@huawei.com>
---
policy/modules/contrib/pkcs.if | 19 +++++++++++++++++++
policy/modules/contrib/sssd.te | 1 +
2 files changed, 20 insertions(+)
diff --git a/policy/modules/contrib/pkcs.if b/policy/modules/contrib/pkcs.if
index 423d061..eb97d23 100644
--- a/policy/modules/contrib/pkcs.if
+++ b/policy/modules/contrib/pkcs.if
@@ -118,6 +118,25 @@ interface(`pkcs_getattr_exec_files',`
########################################
## <summary>
+## Transition to pkcs_slotd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`pkcs_domtrans',`
+ gen_require(`
+ type pkcs_slotd_t, pkcs_slotd_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, pkcs_slotd_exec_t, pkcs_slotd_t)
+')
+
+########################################
+## <summary>
## Create specific objects in the tmpfs directories
## with a private type.
## </summary>
diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
index 80c0b62..f5c7d98 100644
--- a/policy/modules/contrib/sssd.te
+++ b/policy/modules/contrib/sssd.te
@@ -221,6 +221,7 @@ optional_policy(`
')
optional_policy(`
+ pkcs_domtrans(sssd_t)
pkcs_read_lock(sssd_t)
')
--
1.8.3.1
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手