From 91d32c21625c58ac575f689c808de1f39c8a15c3 Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Sat, 18 Dec 2021 09:26:43 +0800 Subject: [PATCH] su: allow su to map SELinux status page We encountered a su runtime error with selinux 3.3: $ su - user1 su: avc.c:73: avc_context_to_sid_raw: Assertion `avc_running' failed. Segmentation fault Fixes: avc: denied { map } for pid=558 comm="su" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=root:sysadm_r:sysadm_su_t tcontext=system_u:object_r:security_t tclass=file permissive=0 avc: denied { getattr } for pid=570 comm="su" name="/" dev="proc" ino=1 scontext=user_u:user_r:user_su_t tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0 Signed-off-by: Yi Zhao --- policy/modules/admin/su.if | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/su.if b/policy/modules/admin/su.if index b780d13cf..cd34cd9dd 100644 --- a/policy/modules/admin/su.if +++ b/policy/modules/admin/su.if @@ -164,6 +164,7 @@ template(`su_role_template',` kernel_read_kernel_sysctls($1_su_t) kernel_search_key($1_su_t) kernel_link_key($1_su_t) + kernel_dontaudit_getattr_proc($1_su_t) # for SSP dev_read_urand($1_su_t) @@ -172,6 +173,7 @@ template(`su_role_template',` # needed for pam_rootok selinux_compute_access_vector($1_su_t) + selinux_use_status_page($1_su_t) auth_domtrans_chk_passwd($1_su_t) auth_dontaudit_read_shadow($1_su_t)