newrole: allow newrole to use setcap to drop capabilities

Commit 61b72e0796 ("selinuxutil: adjustments") removed negative permission
matching for newrole_t:process. One of the removed permission was setcap which
is needed by newrole as it tries to drop capabilities:

    $ newrole -r sysadm_r
    Sorry, newrole failed to drop capabilities
    : Permission denied

    type=PROCTITLE msg=audit(09/06/2019 15:07:01.908:10821) : proctitle=newrole -r sysadm_r

    type=SYSCALL msg=audit(09/06/2019 15:07:01.908:10821) : arch=x86_64
    syscall=capset success=no exit=EACCES(Permission denied) a0=0x7fbe17d4cb6c
    a1=0x7fbe17d4cb74 a2=0x7fbe17d4d5d0 a3=0x0 items=0 ppid=4981 pid=7255
    auid=admin uid=admin gid=admin euid=admin
    suid=admin fsuid=admin egid=admin sgid=admin fsgid=admin tty=tty1 ses=6
    comm=newrole exe=/usr/bin/newrole subj=staff_u:staff_r:newrole_t:s0
    key=(null)

    type=AVC msg=audit(09/06/2019 15:07:01.908:10821) : avc:  denied  { setcap }
    for  pid=7255 comm=newrole scontext=staff_u:staff_r:newrole_t:s0
    tcontext=staff_u:staff_r:newrole_t:s0 tclass=process permissive=0

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
This commit is contained in:
Petr Lautrbach 2019-09-18 13:12:18 +02:00
parent ab4ec89d70
commit e0813db519

View File

@ -226,7 +226,7 @@ optional_policy(`
allow newrole_t self:capability { dac_override fowner setgid setuid };
dontaudit newrole_t self:capability net_admin;
allow newrole_t self:process setexec;
allow newrole_t self:process { setcap setexec };
allow newrole_t self:fd use;
allow newrole_t self:fifo_file rw_fifo_file_perms;
allow newrole_t self:sock_file read_sock_file_perms;