Skip to content

Commit

Permalink
Allow request-key to read /etc/passwd
Browse files Browse the repository at this point in the history 
Fixes:
time->Tue Dec 17 04:00:26 2024
type=PROCTITLE msg=audit(1734426026.600:118): proctitle=2F7573722F62696E2F7368002F7573722F73686172652F6B65797574696C732F726571756573742D6B65792D64656275672E7368003232343535333635350064656275673A62006100383530383838313330
type=SYSCALL msg=audit(1734426026.600:118): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7f2c2e2c11bb a2=80000 a3=0 items=0 ppid=101 pid=1373 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="request-key-deb" exe="/usr/bin/bash" subj=system_u:system_r:keyutils_request_t:s0 key=(null)
type=AVC msg=audit(1734426026.600:118): avc:  denied  { open } for  pid=1373 comm="request-key-deb" path="/etc/passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
type=AVC msg=audit(1734426026.600:118): avc:  denied  { read } for  pid=1373 comm="request-key-deb" name="passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1
----
time->Tue Dec 17 04:00:26 2024
type=PROCTITLE msg=audit(1734426026.600:119): proctitle=2F7573722F62696E2F7368002F7573722F73686172652F6B65797574696C732F726571756573742D6B65792D64656275672E7368003232343535333635350064656275673A62006100383530383838313330
type=SYSCALL msg=audit(1734426026.600:119): arch=c000003e syscall=5 success=yes exit=0 a0=3 a1=7ffdfaab8f80 a2=7f2c2e2f8f20 a3=0 items=0 ppid=101 pid=1373 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="request-key-deb" exe="/usr/bin/bash" subj=system_u:system_r:keyutils_request_t:s0 key=(null)
type=AVC msg=audit(1734426026.600:119): avc:  denied  { getattr } for  pid=1373 comm="request-key-deb" path="/etc/passwd" dev="vda3" ino=17556515 scontext=system_u:system_r:keyutils_request_t:s0 tcontext=system_u:object_r:passwd_file_t:s0 tclass=file permissive=1

Resolves: RHEL-71490
Signed-off-by: Ondrej Mosnacek <[email protected]>
  • Loading branch information
@WOnder93
WOnder93 committed Dec 17, 2024
1 parent 0e3e389 commit 830c927
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions policy/modules/contrib/keyutils.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,10 @@ corecmd_exec_bin(keyutils_request_t)

domain_manage_all_domains_keyrings(keyutils_request_t)

optional_policy(`
auth_read_passwd(keyutils_request_t)
')

optional_policy(`
init_search_pid_dirs(keyutils_request_t)
logging_send_syslog_msg(keyutils_request_t)
Expand Down

0 comments on commit 830c927

Please sign in to comment.