newrole: allow newrole to search faillock runtime directory
Allow newrole to search the /run/faillock directory, otherwise the faillock mechanism will not work for neworle. Before the patch (pam faillock deny=3): root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root After the patch (pam faillock deny=3): root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r The account is locked due to 3 failed logins. (1 minute left to unlock) Password: Fixes: avc: denied { search } for pid=508 comm="newrole" name="faillock" dev="tmpfs" ino=582 scontext=root:sysadm_r:newrole_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
This commit is contained in:
parent
bf34d3e5e8
commit
10feb47e55
|
@ -845,6 +845,24 @@ interface(`auth_rw_shadow_lock',`
|
||||||
rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
|
rw_files_pattern($1, shadow_lock_t, shadow_lock_t)
|
||||||
')
|
')
|
||||||
|
|
||||||
|
########################################
|
||||||
|
## <summary>
|
||||||
|
## Search faillock directory (/run/faillock).
|
||||||
|
## </summary>
|
||||||
|
## <param name="domain">
|
||||||
|
## <summary>
|
||||||
|
## Domain allowed access.
|
||||||
|
## </summary>
|
||||||
|
## </param>
|
||||||
|
#
|
||||||
|
interface(`auth_search_faillog',`
|
||||||
|
gen_require(`
|
||||||
|
type faillog_t;
|
||||||
|
')
|
||||||
|
|
||||||
|
allow $1 faillog_t:dir search_dir_perms;
|
||||||
|
')
|
||||||
|
|
||||||
#######################################
|
#######################################
|
||||||
## <summary>
|
## <summary>
|
||||||
## Append to the login failure log.
|
## Append to the login failure log.
|
||||||
|
|
|
@ -294,6 +294,7 @@ auth_use_nsswitch(newrole_t)
|
||||||
auth_run_chk_passwd(newrole_t, newrole_roles)
|
auth_run_chk_passwd(newrole_t, newrole_roles)
|
||||||
auth_run_upd_passwd(newrole_t, newrole_roles)
|
auth_run_upd_passwd(newrole_t, newrole_roles)
|
||||||
auth_rw_faillog(newrole_t)
|
auth_rw_faillog(newrole_t)
|
||||||
|
auth_search_faillog(newrole_t)
|
||||||
|
|
||||||
# Write to utmp.
|
# Write to utmp.
|
||||||
init_rw_utmp(newrole_t)
|
init_rw_utmp(newrole_t)
|
||||||
|
|
Loading…
Reference in New Issue