| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
| |
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
Closes: https://github.com/gentoo/hardened-refpolicy/pull/2
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Various fixes for containers and podman, mostly centered around quadlet
and netavark updates.
One particular change which may stand out is allowing podman_conmon_t to
IOCTL container_file_t files. I wish I could know why this was hit, but
I don't. The relevant AVC is:
type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762
type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-command-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7"
type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null)
type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This is to support using Synapse workers which require binding to
multiple TCP ports in lieu of manually labeling unreserved ports for
use.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
| |
systemd-boot's bootctl utility is used to install and update its EFI
binaries in the EFI partition. If it is mounted with boot_t, bootctl
needs to be able to manage boot_t files.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
| |
This is for RTP streaming.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Add a separate tunable to allow Postgres to use execmem. This is to
support JIT in the Postgres server without enabling it for the entire
system.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
This is to support user home directories primarily living in another
directory with a symlink in /home that points to it.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
| |
type=AVC msg=audit(1696613589.191:194926): avc: denied { search } for pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Without this, a lengthy 2 minute delay can be observed SSHing into a
system while pam_systemd tries to create a login session.
May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out
type=AVC msg=audit(1715019897.540:13855): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
node=localhost type=AVC msg=audit(1714870999.370:3558): avc: denied { map } for pid=7081 comm="cockpit-bridge" path=2F6465762F23373933202864656C6574656429 dev="devtmpfs" ino=793 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:staff_cockpit_tmpfs_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
Add initial privilege and integrity tests.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Xend/xm was replaced with xl in Xen 4.5 (Jan 2015).
https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
IgnoreSIGPIPE is a feature that requires systemd to passdown the signal
mask down to the fork process. To allow this the siginh permission must
be allowed for all process domains that can be forked by systemd.
Signed-off-by: Matt Sheets <masheets@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
This is part of the HPOJ, which was superseded by HPLIP in 2006.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This domain also calls kernel_request_load_module(), which should be
sufficient.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
| |
This domain also calls kernel_request_load_module(), which should be
sufficent.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
| |
By using domain_entry_file() to provide the entrypoint permission, it makes
the spool file an executable, with unexpected access.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
The user domains were allowed to modify uml_exec_t files.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
manipulate it (CRUD)
When attempting to set the PRETTY_HOSTNAME (e.g. hostnamectl --pretty hostname "My Pretty Host") you will receive these denials in the audit log:
`node=localhost type=AVC msg=audit(1713748477.775:17769): avc: denied { create } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1713748477.775:17769): avc: denied { write } for pid=3012 comm="systemd-hostnam" path="/etc/.#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=PATH msg=audit(1713748477.775:17769): item=1 name="/etc/.#machine-infocuJGLW" inode=1180584 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
node=localhost type=AVC msg=audit(1713748477.775:17770): avc: denied { setattr } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1713748477.776:17771): avc: denied { rename } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=PATH msg=audit(1713748477.776:17771): item=2 name="/etc/.#machine-infocuJGLW" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
node=localhost type=PATH msg=audit(1713748477.776:17771): item=3 name="/etc/machine-info" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
node=localhost type=PATH msg=audit(1713748497.093:17897): item=0 name="/etc/machine-info" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root`
This is on a Rocky 9 system where the default type is etc_t. Setting the type to net_conf_t allows the command to succeed without error.
Signed-off-by: Rick Alther <alther@acm.org>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: Rick Alther <alther@acm.org>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
Caused by the latest openssh version in Debian sid:
AVC avc: denied { getattr } for pid=13544 comm="sshd" path="/run/systemd/notify" dev="tmpfs" ino=286 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:systemd_runtime_notify_t:s0 tclass=sock_file permissive=0
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
AVC avc: denied { map } for pid=581 comm="quotaon" path="/usr/lib/locale/locale-archive" dev="vda1" ino=392093 scontext=system_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:locale_t:s0 tclass=file permissive=0
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Since Linux 6.7 checkpoint-restore functionality is guareded via the
capability CAP_CHECKPOINT_RESTORE, with a fallback to CAP_SYS_ADMIN.
Grant the new capability while keeping the old one for backwards
compatibility.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
binary is now /usr/sbin/sos
Cleanup "invalid security context" type errors
Allow read/write user ptty
node=destination type=AVC msg=audit(1709914012.455:7495): avc: denied { read write } for pid=2214 comm="sos" path="/dev/pts/0" dev="devpts" ino=3 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
node=destination type=AVC msg=audit(1709914012.527:7512): avc: denied { ioctl } for pid=2214 comm="sos" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5401 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
node=destination type=AVC msg=audit(1709928066.892:80267): avc: denied { create } for pid=3998 comm="mkfifo" name="systemd-cat" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80269): avc: denied { write } for pid=3968 comm="dracut" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80269): avc: denied { open } for pid=3968 comm="dracut" path="/var/tmp/dracut.GUBZQZ/systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80281): avc: denied { read } for pid=3999 comm="dracut" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928068.848:94243): avc: denied { unlink } for pid=4049 comm="rm" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928080.775:126505): avc: denied { create } for pid=2229 comm="sos" name="lvmpolld.socket" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=sock_file permissive=1
node=destination type=AVC msg=audit(1709928080.775:126510): avc: denied { setattr } for pid=2229 comm="sos" name="lvmpolld.socket" dev="dm-3" ino=138652 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=sock_file permissive=1
Allow sosreport to read SELinux booleans
node=destination type=AVC msg=audit(1709931730.500:181982): avc: denied { read } for pid=6578 comm="sestatus" name="aide_mmap_files" dev="selinuxfs" ino=33554432 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:boolean_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709931730.500:181982): avc: denied { open } for pid=6578 comm="sestatus" path="/sys/fs/selinux/booleans/aide_mmap_files" dev="selinuxfs" ino=33554432 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:boolean_t:s0 tclass=file permissive=1
Allow sosreport dbus send_msg
node=destination type=USER_AVC msg=audit(1709931682.344:10950): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931707.581:103764): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931711.203:109364): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker
node=destination type=USER_AVC msg=audit(1709931713.737:118226): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931741.992:218433): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931735.870:210757): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:devicekit_disk_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931742.051:218502): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
Allow sosreport to get status of all units
node=destination type=USER_AVC msg=audit(1709951886.954:202544): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dm-event.socket" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:lvm_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'�UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951886.994:202604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dnf-makecache.timer" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:rpm_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'�UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951860.321:103971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/fwupd.service" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'�UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951889.117:209277): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-rfkill.service" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_rfkill_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'�UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
Allow sosreport to map some files
node=destination type=AVC msg=audit(1709951889.013:209184): avc: denied { map } for pid=6932 comm="lsusb" path="/etc/udev/hwdb.bin" dev="dm-0" ino=1180591 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951850.662:58892): avc: denied { map } for pid=3814 comm="journalctl" path="/var/log/journal/4fa8dbda531a499cb4bdf065a9b23471/user-1000@db7a3287b7234e07b839915b69371deb-000000000000110a-0006133115ceaa6d.journal" dev="dm-6" ino=262149 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Access SELinux stuff
node=destination type=AVC msg=audit(1709951851.398:60712): avc: denied { compute_av } for pid=3902 comm="crontab" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951864.926:110932): avc: denied { map } for pid=5345 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951883.687:182874): avc: denied { check_context } for pid=6675 comm="selinuxdefcon" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951883.763:183087): avc: denied { compute_create } for pid=6696 comm="selinuxexeccon" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951883.946:183609): avc: denied { map } for pid=6715 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951884.669:188960): avc: denied { read_policy } for pid=6703 comm="semanage" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
The dbus selinux interface comes from policycoreutils-dbus package
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
| |
Drop a line containing a single space from the file context file to
avoid SELint stumble on it:
libraries.mod.fc: 130: (E): Bad file context format (E-002)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
AVC avc: denied { read } for pid=770 comm="mkdir" name="filesystems" dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) : proctitle=/usr/lib/systemd/systemd-logind
type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64 syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc: denied { use } for pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1
p.s.: this might need an overhaul after pidfd handling in the kernel has
been improved.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
AVC avc: denied { create } for pid=685 comm="ifquery" name="network" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
type=1400 audit(1708552475.580:3): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/etc/init.d/auditd" dev="vda1" ino=262124 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_initrc_exec_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.580:4): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/auditd.service" dev="vda1" ino=395421 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_unit_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.580:5): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/etc/init.d/vnstat" dev="vda1" ino=261247 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_initrc_exec_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.580:6): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/vnstat.service" dev="vda1" ino=394196 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_unit_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.580:7): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/dbus-broker.service" dev="vda1" ino=394383 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:dbusd_unit_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.584:8): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/qemu-guest-agent.service" dev="vda1" ino=392981 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:qemu_unit_t:s0 tclass=file permissive=1
type=1400 audit(1708552475.584:9): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/ssh.service" dev="vda1" ino=393521 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:sshd_unit_t:s0 tclass=file permissive=1
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
| |
Adopted from https://github.com/fedora-selinux/selinux-policy/commit/5580e9a576f759820dbc3387961ce58a959221dc
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) : proctitle=/usr/sbin/vnstatd -n
type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/
type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { open } for pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { read } for pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : proctitle=/usr/lib/systemd/systemd-binfmt
type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc: denied { getattr } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1
type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : proctitle=/usr/lib/systemd/systemd-binfmt
type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/
type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc: denied { write } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
| |
Associate the type memory_pressure_t with the attribute file_type, so
all attribute based rules apply, e.g. for unconfined_t.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
| |
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
| |
|
|
|
|
|
|
|
| |
type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r sysadm_r
type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0 items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc: denied { getattr } for pid=1001 comm=newrole name=/ dev=proc ino=1 scontext=root:staff_r:newrole_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
Grzegorz Filo
Kenton Groombridge
Dave Sugar
Chris PeBenito
Matt Sheets
Rick Alther
Rick Alther
Christian Göttsche
Chris PeBenito
GitWeb