From 369f900039cff9443e86fdf7254ba8b11dc6adb5 Mon Sep 17 00:00:00 2001
From: Patrik Koncity <pkoncity@redhat.com>
Date: Thu, 10 Feb 2022 11:46:13 +0100
Subject: [PATCH] Allow sysadm_passwd_t to relabel passwd and group files

Reference: https://gitbub.com/fedora-selinux/selinux-policy/commit/369f900039cff9443e86fdf7254ba8b11dc6adb5
Conflict: NA

Vigr mechanism of editing group and passwd
files work on principle of recreating the current
file with new changes. Due to this mechanism is
need to again relabel file with selinux label.
Creating interface allowing relabel to the passwd_file_t
type. Allow relabeling for sysadm_passwd_t domain.
Allow dac_override permission for sysadm_passwd_t type.

Signed-off-by: lujie54 <lujie54@huawei.com>
---
 policy/modules/admin/usermanage.te |  3 ++-
 policy/modules/system/authlogin.if | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 8fdbfbc..155fb68 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -433,7 +433,7 @@ optional_policy(`
 # Password admin local policy
 #
 
-allow sysadm_passwd_t self:capability { chown dac_read_search  fsetid setuid setgid sys_resource };
+allow sysadm_passwd_t self:capability { chown dac_override dac_read_search  fsetid setuid setgid sys_resource };
 allow sysadm_passwd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
 allow sysadm_passwd_t self:process { setrlimit setfscreate };
 allow sysadm_passwd_t self:fd use;
@@ -478,6 +478,7 @@ term_getattr_all_ptys(sysadm_passwd_t)
 auth_manage_passwd(sysadm_passwd_t)
 auth_manage_shadow(sysadm_passwd_t)
 auth_relabel_shadow(sysadm_passwd_t)
+auth_relabelto_passwd_files(sysadm_passwd_t)
 auth_etc_filetrans_shadow(sysadm_passwd_t)
 auth_use_nsswitch(sysadm_passwd_t)
 
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index ad55205..b5b3702 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -851,6 +851,26 @@ interface(`auth_relabel_shadow',`
 
 #######################################
 ## <summary>
+##	Relabel to the
+##	password file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabelto_passwd_files',`
+	gen_require(`
+		type passwd_file_t;
+	')
+
+	files_search_etc($1)
+	allow $1 passwd_file_t:file relabelto;
+')
+
+#######################################
+## <summary>
 ##	Append to the login failure log.
 ## </summary>
 ## <param name="domain">
-- 
1.8.3.1