CaROS/meta-selinux
3
0
Fork 0
mirror of git://git.yoctoproject.org/meta-selinux synced 2026-01-01 13:58:04 +00:00
Code Issues Packages Projects Releases Wiki Activity

refpolicy: authlogin - allow unix_chkpwd to run

Browse Source 
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Clayton Casciato 2025-03-10 09:08:18 -06:00 committed by Yi Zhao
parent 23472df161
commit 4fbbcab2cb
2 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
recipes-security/refpolicy/refpolicy/0057-policy-modules-system-authlogin-chkpwd_t-dac_read_se.patch Normal file
View File

@ -0,0 +1,29 @@
From 92091366d5beda7096a8845b822049372e57ca97 Mon Sep 17 00:00:00 2001
From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Date: Mon, 30 Dec 2024 15:58:17 +0800
Subject: [PATCH] authlogin: allow unix_chkpwd to run
denied { dac_read_search } for pid=27506 comm="unix_chkpwd" capability=2 scontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:chkpwd_t:s0-s15:c0.c1023 tclass=capability permissive=1
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Upstream-Status: Backport [https://github.com/SELinuxProject/refpolicy/commit/796d0335f6b975c9d075525d62ec8e854ce5beef]
Signed-off-by: Clayton Casciato <majortomtosourcecontrol@gmail.com>
---
policy/modules/system/authlogin.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index c8e2954cb..1c862bbab 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -109,7 +109,7 @@ optional_policy(`
# Check password local policy
#
-allow chkpwd_t self:capability { dac_override setuid };
+allow chkpwd_t self:capability { dac_override dac_read_search setuid };
dontaudit chkpwd_t self:capability sys_tty_config;
allow chkpwd_t self:process { getattr signal };
dontaudit chkpwd_t self:process getcap;

1
recipes-security/refpolicy/refpolicy_common.inc
View File

@ -72,6 +72,7 @@ SRC_URI += " \
file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
file://0057-policy-modules-system-authlogin-chkpwd_t-dac_read_se.patch \
"
S = "${WORKDIR}/refpolicy"