Skip to content

Commit

Permalink
selinux: Allow reading access to systemd's userdbd
Browse files Browse the repository at this point in the history 
To access systemd's userdb through the socket, laurel needs access on
labels around systemd_userdbd_runtime_t. Debian and Redhat provide
different interfaces to achieve this.
  • Loading branch information
@comawill
comawill committed May 10, 2024
1 parent 513bf69 commit 84af243
Showing 1 changed file with 7 additions and 0 deletions.
7 changes: 7 additions & 0 deletions contrib/selinux/laurel.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,10 +52,17 @@ files_getattr_all_files(laurel_t)
ifdef(`distro_debian',`
gen_require(`type etc_t;')
allow laurel_t etc_t:file { open read };
ifdef(`systemd_stream_connect_userdb',`
systemd_stream_connect_userdb(laurel_t)
')
')

ifdef(`distro_redhat',`
gen_require(`type passwd_file_t;')
allow laurel_t passwd_file_t:file { open read };
ifdef(`systemd_userdbd_stream_connect',`
systemd_userdbd_stream_connect(laurel_t)
')
')

# Access user database via SSSD
Expand Down

0 comments on commit 84af243

Please sign in to comment.