代码拉取完成,页面将自动刷新
同步操作将从 src-openEuler/selinux-policy 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
From 1c0959233b2d061dffb8e6d34b4f49d664d68af9 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Fri, 9 Sep 2022 17:38:35 +0200
Subject: [PATCH] Allow utempter append to login_userdomain stream
Addresses the following AVC denial:
type=PROCTITLE msg=audit(23.8.2022 11:20:02.949:5147) : proctitle=/usr/libexec/utempter/utempter add :0
type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=1 name=/lib64/ld-linux-x86-64.so.2 inode=33828998 dev=fd:00 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(23.8.2022 11:20:02.949:5147) : item=0 name=/usr/libexec/utempter/utempter inode=35940312 dev=fd:00 mode=file,sgid,711 ouid=root ogid=utmp rdev=00:00 obj=system_u:object_r:utempter_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=EXECVE msg=audit(23.8.2022 11:20:02.949:5147) : argc=3 a0=/usr/libexec/utempter/utempter a1=add a2=:0
type=SYSCALL msg=audit(23.8.2022 11:20:02.949:5147) : arch=x86_64 syscall=execve success=yes exit=0 a0=0x559ff13c4220 a1=0x559ff13c5170 a2=0x7ffc47314488 a3=0x8 items=2 ppid=544463 pid=544464 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=utmp sgid=utmp fsgid=utmp tty=pts17 ses=3 comm=utempter exe=/usr/libexec/utempter/utempter subj=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(23.8.2022 11:20:02.949:5147) : avc: denied { append } for pid=544464 comm=utempter path=socket:[935095] dev="sockfs" ino=935095 scontext=staff_u:staff_r:utempter_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/system/authlogin.te | 1 +
policy/modules/system/userdomain.if | 18 ++++++++++++++++++
2 files changed, 19 insertions(+)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 1885fa699..feabf67ab 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -423,6 +423,7 @@ domain_use_interactive_fds(utempter_t)
logging_search_logs(utempter_t)
+userdom_append_stream_userdomain(utempter_t)
userdom_use_inherited_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index e14a3c58f..43192ae29 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -6637,6 +6637,24 @@ interface(`userdom_login_userdomain',`
typeattribute $1 login_userdomain;
')
+########################################
+## <summary>
+## Append to login_userdomain stream.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_append_stream_userdomain',`
+ gen_require(`
+ attribute login_userdomain;
+ ')
+
+ allow $1 login_userdomain:unix_stream_socket { getattr append };
+')
+
########################################
## <summary>
## Do not audit attempts to check the
--
2.27.0
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手