usermanage: allow groupadd to lookup dynamic users from systemd

On a Debian 10 test virtual machine, when installing packages adds a
group, the following AVC occurs:

    type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
    msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager
    member=LookupDynamicUserByName dest=org.freedesktop.systemd1
    spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t
    tcontext=system_u:system_r:init_t tclass=dbus permissive=1
    exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?'

Allow groupadd to use nss-systemd, which calls DBUS method
LookupDynamicUserByName().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>

This commit is contained in:

Nicolas Iooss

2020-01-15 22:01:08 +01:00

parent 8426d24740

commit 7558698ab1

No known key found for this signature in database

GPG Key ID: C191415F340DAAA0

1 changed files with 4 additions and 0 deletions

4

policy/modules/admin/usermanage.te

View File

 	rpm_rw_pipes(groupadd_t)
 ')
+optional_policy(`
+	systemd_use_nss(groupadd_t)
+')
 optional_policy(`
 	unconfined_use_fds(groupadd_t)
 ')

usermanage: allow groupadd to lookup dynamic users from systemd

4 policy/modules/admin/usermanage.te Unescape Escape View File

4

policy/modules/admin/usermanage.te

View File