su: allow su to map SELinux status page

We encountered a su runtime error with selinux 3.3: $ su - user1 su: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed. Segmentation fault Fixes: avc: denied { map } for pid=558 comm="su" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:sysadm_r:sysadm_su_t tcontext=system_u:object_r:security_t tclass=file permissive=0 avc: denied { getattr } for pid=570 comm="su" name="/" dev="proc" ino=1 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2021-12-18 09:26:43 +08:00 · 2021-12-18 09:26:43 +08:00 · 91d32c2162
commit 91d32c2162
parent 4c515c9f8b
1 changed files with 2 additions and 0 deletions
--- a/policy/modules/admin/su.if
+++ b/policy/modules/admin/su.if
@ -164,6 +164,7 @@ template(`su_role_template',`
 	kernel_read_kernel_sysctls($1_su_t)
 	kernel_search_key($1_su_t)
 	kernel_link_key($1_su_t)
+	kernel_dontaudit_getattr_proc($1_su_t)

 	# for SSP
 	dev_read_urand($1_su_t)
@ -172,6 +173,7 @@ template(`su_role_template',`

 	# needed for pam_rootok
 	selinux_compute_access_vector($1_su_t)
+	selinux_use_status_page($1_su_t)

 	auth_domtrans_chk_passwd($1_su_t)
 	auth_dontaudit_read_shadow($1_su_t)