newrole: allow newrole to search faillock runtime directory

Allow newrole to search the /run/faillock directory, otherwise the
faillock mechanism will not work for neworle.

Before the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root

After the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole  -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
The account is locked due to 3 failed logins.
(1 minute left to unlock)
Password:

Fixes:
avc: denied { search } for pid=508 comm="newrole" name="faillock"
dev="tmpfs" ino=582 scontext=root:sysadm_r:newrole_t:s0-s15:c0.c1023
tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
Yi Zhao 2024-05-28 15:06:06 +08:00
parent bf34d3e5e8
commit 10feb47e55
2 changed files with 19 additions and 0 deletions

View File

@ -845,6 +845,24 @@ interface(`auth_rw_shadow_lock',`
rw_files_pattern($1, shadow_lock_t, shadow_lock_t) rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
') ')
########################################
## <summary>
## Search faillock directory (/run/faillock).
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`auth_search_faillog',`
gen_require(`
type faillog_t;
')
allow $1 faillog_t:dir search_dir_perms;
')
####################################### #######################################
## <summary> ## <summary>
## Append to the login failure log. ## Append to the login failure log.

View File

@ -294,6 +294,7 @@ auth_use_nsswitch(newrole_t)
auth_run_chk_passwd(newrole_t, newrole_roles) auth_run_chk_passwd(newrole_t, newrole_roles)
auth_run_upd_passwd(newrole_t, newrole_roles) auth_run_upd_passwd(newrole_t, newrole_roles)
auth_rw_faillog(newrole_t) auth_rw_faillog(newrole_t)
auth_search_faillog(newrole_t)
# Write to utmp. # Write to utmp.
init_rw_utmp(newrole_t) init_rw_utmp(newrole_t)