selinux-refpolicy/policy/modules/system
Yi Zhao 10feb47e55 newrole: allow newrole to search faillock runtime directory
Allow newrole to search the /run/faillock directory, otherwise the
faillock mechanism will not work for neworle.

Before the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root

After the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole  -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
The account is locked due to 3 failed logins.
(1 minute left to unlock)
Password:

Fixes:
avc: denied { search } for pid=508 comm="newrole" name="faillock"
dev="tmpfs" ino=582 scontext=root:sysadm_r:newrole_t:s0-s15:c0.c1023
tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-06-04 21:18:58 +08:00
..
application.fc
application.if
application.te
authlogin.fc files context for merged-usr profile on gentoo 2024-05-08 13:46:48 +02:00
authlogin.if newrole: allow newrole to search faillock runtime directory 2024-06-04 21:18:58 +08:00
authlogin.te various: various fixes 2024-05-09 10:13:37 -04:00
clock.fc
clock.if
clock.te
daemontools.fc
daemontools.if
daemontools.te
fstools.fc
fstools.if
fstools.te cloudinit: Add permissions derived from sysadm. 2024-02-22 09:13:38 -05:00
getty.fc
getty.if
getty.te getty: grant checkpoint_restore 2024-03-28 20:01:49 +01:00
hostname.fc
hostname.if
hostname.te xen: Drop xend/xm stack. 2024-04-29 14:20:19 -04:00
init.fc files context for merged-usr profile on gentoo 2024-05-08 13:46:48 +02:00
init.if container, podman: various fixes 2024-05-09 10:13:29 -04:00
init.te init: allow systemd to use sshd pidfds 2024-05-09 10:00:18 -04:00
ipsec.fc
ipsec.if
ipsec.te
iptables.fc
iptables.if
iptables.te
iscsi.fc
iscsi.if
iscsi.te
libraries.fc libraries: drop space in empty line 2024-02-23 18:04:11 +01:00
libraries.if small network patches (#707) 2023-09-25 11:44:52 -04:00
libraries.te
locallogin.fc
locallogin.if
locallogin.te small systemd patches (#708) 2023-09-27 09:20:52 -04:00
logging.fc
logging.if separate domain for journalctl during init 2023-09-26 12:47:37 -04:00
logging.te Merge pull request #679 from gtrentalancia/audit_fixes_pr 2023-09-14 10:49:38 -04:00
lvm.fc files context for merged-usr profile on gentoo 2024-05-08 13:46:48 +02:00
lvm.if container, kubernetes: add support for rook-ceph 2024-02-09 15:11:58 -05:00
lvm.te xen: Drop xend/xm stack. 2024-04-29 14:20:19 -04:00
metadata.xml
miscfiles.fc Additional file context fix for: 2023-12-05 21:04:29 +01:00
miscfiles.if
miscfiles.te
modutils.fc
modutils.if
modutils.te
mount.fc
mount.if container, kubernetes: add support for rook-ceph 2024-02-09 15:11:58 -05:00
mount.te mount: make mount_runtime_t a kubernetes mountpoint 2024-02-07 18:18:24 -05:00
netlabel.fc
netlabel.if
netlabel.te
raid.fc Label checkarray as mdadm_exec_t, allow it to read/write temp files inherited 2023-10-06 21:48:52 +11:00
raid.if
raid.te various: various fixes 2024-05-09 10:13:37 -04:00
selinuxutil.fc Setup domain for dbus selinux interface 2024-01-17 21:36:05 -05:00
selinuxutil.if Setup domain for dbus selinux interface 2024-01-17 21:36:05 -05:00
selinuxutil.te newrole: allow newrole to search faillock runtime directory 2024-06-04 21:18:58 +08:00
setrans.fc
setrans.if
setrans.te
sysnetwork.fc Set the type on /etc/machine-info to net_conf_t so hostnamectl can manipulate it (CRUD) 2024-04-22 09:20:11 -04:00
sysnetwork.if udev: update 2024-02-23 17:55:29 +01:00
sysnetwork.te sysnetwork: fixes for dhcpcd 2024-06-04 21:12:36 +08:00
systemd.fc systemd: label systemd-tpm2-setup as systemd-pcrphase 2024-02-21 15:30:53 -05:00
systemd.if systemd: allow notify client to stat socket 2024-04-13 21:08:01 +02:00
systemd.te systemd: allow systemd-sysctl to search tmpfs 2024-05-09 10:13:29 -04:00
udev.fc
udev.if
udev.te udev: update 2024-02-23 17:55:29 +01:00
unconfined.fc
unconfined.if cloudinit: Add permissions derived from sysadm. 2024-02-22 09:13:38 -05:00
unconfined.te SELint userspace class tweaks 2024-01-10 17:02:41 +01:00
userdomain.fc
userdomain.if userdom: allow users to read user home dir symlinks 2024-05-09 10:00:23 -04:00
userdomain.te Allow all users to (optionally) send syslog messages 2023-09-19 09:14:08 -04:00
xdg.fc
xdg.if
xdg.te
xen.fc xen: Drop xend/xm stack. 2024-04-29 14:20:19 -04:00
xen.if xen: Drop xend/xm stack. 2024-04-29 14:20:19 -04:00
xen.te xen: Drop xend/xm stack. 2024-04-29 14:20:19 -04:00