From 982b9dd4ec8c9e030c769bf519a33dcf29c1e617 Mon Sep 17 00:00:00 2001 From: Sebastian Willenborg Date: Fri, 10 May 2024 10:12:40 +0200 Subject: [PATCH] selinux: Allow reading access to systemd's userdbd To access systemd's userdb through the socket, laurel needs access on labels around systemd_userdbd_runtime_t. Debian and Redhat provide different interfaces to achieve this. --- contrib/selinux/laurel.te | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/contrib/selinux/laurel.te b/contrib/selinux/laurel.te index 98aa889..0ac3d3d 100644 --- a/contrib/selinux/laurel.te +++ b/contrib/selinux/laurel.te @@ -52,10 +52,17 @@ files_getattr_all_files(laurel_t) ifdef(`distro_debian',` gen_require(`type etc_t;') allow laurel_t etc_t:file { open read }; + ifdef(`systemd_stream_connect_userdb',` + systemd_stream_connect_userdb(laurel_t) + ') ') + ifdef(`distro_redhat',` gen_require(`type passwd_file_t;') allow laurel_t passwd_file_t:file { open read }; + ifdef(`systemd_userdbd_stream_connect',` + systemd_userdbd_stream_connect(laurel_t) + ') ') # Access user database via SSSD