Updates for utempter

Fix label (for RedHat) which places utempter in /usr/libexec/utempter/utempter
Allow utempter to write to xsession log

Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.483:3994): avc:  denied  { write } for  pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1
Sep 07 01:30:50 localhost.localdomain audisp-syslog[1649]: node=localhost type=AVC msg=audit(1694050250.485:3997): avc:  denied  { getattr } for  pid=1927 comm="utempter" path="/home/toor/.xsession-errors" dev="dm-9" ino=129543 scontext=toor_u:staff_r:utempter_t:s0 tcontext=toor_u:object_r:xsession_log_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
This commit is contained in:
Dave Sugar 2023-09-06 21:00:03 -04:00
parent 9d03d2ef9e
commit 56db40c099
2 changed files with 4 additions and 0 deletions
policy/modules/system

View File

@ -22,6 +22,9 @@
/usr/lib/([^/]+/)?utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
ifdef(`distro_redhat', `
/usr/libexec/utempter/utempter -- gen_context(system_u:object_r:utempter_exec_t,s0)
')
/usr/libexec/chkpwd/tcb_chkpwd -- gen_context(system_u:object_r:chkpwd_exec_t,s0)
/usr/sbin/pam_console_apply -- gen_context(system_u:object_r:pam_console_exec_t,s0)

View File

@ -450,6 +450,7 @@ optional_policy(`
optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
xserver_write_inherited_xsession_log(utempter_t)
')
#######################################