From a7d502632ff5ad6bae7ab9959631335fc57e2a5e Mon Sep 17 00:00:00 2001
From: lujie54 <lujie54@huawei.com>
Date: Mon, 27 Jun 2022 21:35:58 +0800
Subject: [PATCH] Allow domain transition to sssd_t and role access to sssd

(cherry picked from commit 4fcb05937d188beb60fe4f5a206152c008c64c5e)
---
 ...nsition-to-sssd_t-and-role-access-to.patch | 172 ++++++++++++++++++
 selinux-policy.spec                           |   7 +-
 2 files changed, 177 insertions(+), 2 deletions(-)
 create mode 100644 backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch

diff --git a/backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch b/backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch
new file mode 100644
index 0000000..7bce3bc
--- /dev/null
+++ b/backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch
@@ -0,0 +1,172 @@
+From 6956435a4e3cc5a6f0d311f80b31abddd83d9ae5 Mon Sep 17 00:00:00 2001
+From:  Patrik Koncity <pkoncity@redhat.com>
+Date: Mon, 27 Jun 2022 20:37:44 +0800
+Subject: [PATCH] Allow domain transition to sssd_t and role access to sssd
+
+When installing some rpm packages, new users or
+groups are added to the system using
+the groupadd and useradd tools. Then the sss_cache
+file with the bin_t label is run and on this file
+groupadd and useradd want to setgid and this
+trigger SELinux denials. Label the sss_cache binary
+as sssd_exec_t and enabling the transition from
+groupadd_t and useradd_t to sssd_t. Sssd policy
+allowed setgid on this binary.
+
+Reference:https://github.com/fedora-selinux/selinux-policy/commit/bcc321f1719d252b205edf89f82f578c1c309eb0
+Conflict: NA
+
+After previous fix in bugzilla arise a SELinux
+error with role. Processes running under
+unconfined_r do not have access to sssd_t.
+Allow domain transition from rpm_script_t to
+sssd_t and allow the rpm_script_roles in the
+sssd domain.
+
+Reference:https://github.com/fedora-selinux/selinux-policy/commit/25bdcfdf5821ddba2c47fc4306bc43debc4c0f75
+Conflict: NA
+
+Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2022690
+
+
+sssd_run_sssd interface allow execute sssd in the
+sssd domain, and allow the specified role
+the sssd domain.
+
+Reference:https://github.com/fedora-selinux/selinux-policy/commit/d7ef9cf83cb50b4349cb8277c2cd126c17dc629a
+Conflict: NA
+
+Signed-off-by: lujie54 <lujie54@huawei.com>
+---
+ policy/modules/admin/usermanage.te | 18 ++++++++++--------
+ policy/modules/contrib/rpm.te      |  4 ++++
+ policy/modules/contrib/sssd.fc     |  1 +
+ policy/modules/contrib/sssd.if     | 27 +++++++++++++++++++++++++++
+ policy/modules/contrib/sssd.te     |  3 +++
+ 5 files changed, 45 insertions(+), 8 deletions(-)
+
+diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
+index 5a857e0..b945e3c 100644
+--- a/policy/modules/admin/usermanage.te
++++ b/policy/modules/admin/usermanage.te
+@@ -300,10 +300,11 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-    sssd_manage_lib_files(groupadd_t)
+-    sssd_manage_public_files(groupadd_t)
+-    sssd_read_pid_files(groupadd_t)
+-    sssd_signal(groupadd_t)
++	sssd_domtrans(groupadd_t)
++	sssd_manage_lib_files(groupadd_t)
++	sssd_manage_public_files(groupadd_t)
++	sssd_read_pid_files(groupadd_t)
++	sssd_signal(groupadd_t)
+ ')
+ 
+ optional_policy(`
+@@ -679,10 +680,11 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
+-    sssd_manage_lib_files(useradd_t)
+-    sssd_manage_public_files(useradd_t)
+-    sssd_read_pid_files(useradd_t)
+-    sssd_signal(useradd_t)
++	sssd_domtrans(useradd_t)
++    	sssd_manage_lib_files(useradd_t)
++    	sssd_manage_public_files(useradd_t)
++    	sssd_read_pid_files(useradd_t)
++    	sssd_signal(useradd_t)
+ ')
+ 
+ optional_policy(`
+diff --git a/policy/modules/contrib/rpm.te b/policy/modules/contrib/rpm.te
+index 9d2f4e6..3f6de12 100644
+--- a/policy/modules/contrib/rpm.te
++++ b/policy/modules/contrib/rpm.te
+@@ -481,6 +481,10 @@ optional_policy(`
+ ')
+ 
+ optional_policy(`
++	sssd_run_sssd(rpm_script_t, rpm_script_roles)
++')
++
++optional_policy(`
+ 	tzdata_domtrans(rpm_t)
+ 	tzdata_run(rpm_script_t, rpm_script_roles)
+ ')
+diff --git a/policy/modules/contrib/sssd.fc b/policy/modules/contrib/sssd.fc
+index 2655c75..f51950d 100644
+--- a/policy/modules/contrib/sssd.fc
++++ b/policy/modules/contrib/sssd.fc
+@@ -3,6 +3,7 @@
+ /etc/sssd(/.*)?			gen_context(system_u:object_r:sssd_conf_t,s0)
+ 
+ /usr/sbin/sssd		--	gen_context(system_u:object_r:sssd_exec_t,s0)
++/usr/sbin/sss_cache		--	gen_context(system_u:object_r:sssd_exec_t,s0)
+ /usr/libexec/sssd/sssd_autofs	--	gen_context(system_u:object_r:sssd_exec_t,s0)
+ /usr/libexec/sssd/sssd_ifp	--	gen_context(system_u:object_r:sssd_exec_t,s0)
+ /usr/libexec/sssd/sssd_nss	--	gen_context(system_u:object_r:sssd_exec_t,s0)
+diff --git a/policy/modules/contrib/sssd.if b/policy/modules/contrib/sssd.if
+index e1ff0d7..6debe08 100644
+--- a/policy/modules/contrib/sssd.if
++++ b/policy/modules/contrib/sssd.if
+@@ -429,6 +429,33 @@ interface(`sssd_dontaudit_stream_connect',`
+ 
+ ########################################
+ ## <summary>
++##	Execute sssd in the sssd domain, and
++##	allow the specified role the sssd domain.
++## </summary>
++## <param name="domain">
++##	<summary>
++##	Domain allowed to transition.
++##	</summary>
++## </param>
++## <param name="role">
++##	<summary>
++##	Role allowed access.
++##	</summary>
++## </param>
++## <rolecap/>
++#
++interface(`sssd_run_sssd',`
++	gen_require(`
++		type sssd_t;
++		attribute_role sssd_roles;
++	')
++
++	sssd_domtrans($1)
++	roleattribute $2 sssd_roles;
++')
++
++########################################
++## <summary>
+ ##	Connect to sssd over a unix stream socket in /var/run.
+ ## </summary>
+ ## <param name="domain">
+diff --git a/policy/modules/contrib/sssd.te b/policy/modules/contrib/sssd.te
+index b510dca..f64472c 100644
+--- a/policy/modules/contrib/sssd.te
++++ b/policy/modules/contrib/sssd.te
+@@ -5,6 +5,8 @@ policy_module(sssd, 1.2.0)
+ # Declarations
+ #
+ 
++attribute_role sssd_roles;
++
+ ## <desc>
+ ##	<p>
+ ##	Allow sssd read, view, and write access to kernel keys with kernel_t type
+@@ -22,6 +24,7 @@ gen_tunable(sssd_connect_all_unreserved_ports, false)
+ type sssd_t;
+ type sssd_exec_t;
+ init_daemon_domain(sssd_t, sssd_exec_t)
++role sssd_roles types sssd_t;
+ 
+ type sssd_initrc_exec_t;
+ init_script_file(sssd_initrc_exec_t)
+-- 
+1.8.3.1
+
diff --git a/selinux-policy.spec b/selinux-policy.spec
index 9afe8b7..53f5540 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -12,7 +12,7 @@
 Summary: SELinux policy configuration
 Name:    selinux-policy
 Version: 35.5
-Release: 5
+Release: 6
 License: GPLv2+
 URL:     https://github.com/fedora-selinux/selinux-policy/
 
@@ -64,7 +64,7 @@ Patch8:  allow-rpcbind-to-bind-all-port.patch
 Patch9:  add-avc-for-systemd-journald.patch
 Patch10: add-avc-for-systemd.patch
 
-#Patch6000: backport-Allow-kdump_t-net_admin-capability.patch
+Patch6000: backport-Allow-domain-transition-to-sssd_t-and-role-access-to.patch
 
 Patch9000: add-qemu_exec_t-for-stratovirt.patch
 Patch9001: fix-context-of-usr-bin-rpmdb.patch
@@ -735,6 +735,9 @@ exit 0
 %endif
 
 %changelog
+* Mon Jun 27 2022 lujie <lujie54@huawei.com> - 35.5-6
+- Allow domain transition to sssd_t and role access to sssd 
+
 * Sat Jun 25 2022 luhuaxin <luhuaxin1@huawei.com> - 35.5-5
 - allow httpd to create files in /etc/httpd
 
-- 
Gitee