Chris PeBenito
a63c24c6b7
Merge pull request #269 from bauen1/systemd-userdb
2020-12-17 09:22:55 -05:00
Chris PeBenito
2a660fb6f6
Merge pull request #325 from pdmorrow/selinux_getbools
...
selinux: add selinux_get_all_booleans() interface
2020-12-15 11:10:12 -05:00
Daniel Burgener
37cc0aae1d
Use self keyword when an AV rule source type matches destination
...
This is reported in a new SELint check in soon to be released selint version 1.2.0
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
2020-12-15 10:29:52 -05:00
Peter Morrow
b3bfd10ccd
selinux: add selinux_get_all_booleans() interface
...
Allow the caller to read the state of selinuxfs booleans.
Signed-off-by: Peter Morrow <pemorrow@linux.microsoft.com>
2020-12-15 15:19:30 +00:00
Chris PeBenito
cef667fa31
systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-15 09:40:48 -05:00
Chris PeBenito
2c2d27ce70
Merge pull request #324 from dburgener/dburgener/systemd-watch
2020-12-15 09:33:50 -05:00
Daniel Burgener
b3204ea4c1
Allow systemd-ask-password to watch files
...
On systems that use plymouth, systemd-ask-password may set watches on
the contents on /run/systemd/ask-password, whereas other scenarions only
set watch on the parent directory.
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-12-11 19:47:13 +00:00
Chris PeBenito
c8c418267d
systemd: Add systemd-tty-ask watch for /run/systemd/ask-password.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2020-12-11 19:45:54 +00:00
Chris PeBenito
87c4adc790
kernel, modutils, userdomain, xserver: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-08 15:13:57 -05:00
Chris PeBenito
97eda18388
Merge pull request #323 from dsugar100/master
2020-12-08 15:09:54 -05:00
Chris PeBenito
7fd6d78c2c
userdomain: Fix error in calling userdom_xdg_user_template().
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-08 15:09:27 -05:00
Chris PeBenito
cdfcec0e9a
Merge pull request #320 from 0xC0ncord/master
2020-12-08 15:01:27 -05:00
Chris PeBenito
d7c3c78c2d
Drop criteria on github actions.
...
Either they do not have the desired effects or they are broken.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-08 12:31:00 -05:00
0xC0ncord
1d15c9e009
userdomain, xserver: move xdg rules to userdom_xdg_user_template
...
xdg rules are normally set in xserver. But, if a modular policy is being
used and the xserver module is not present, the required rules for users
to be able to access xdg content are never created and thus these files
and directories cannot be interacted with by users. This change adds a
new template that can be called to grant these privileges to userdomain
types as necessary.
Signed-off-by: Kenton Groombridge <me@concord.sh>
2020-12-08 10:59:17 -05:00
Dave Sugar
ca5f1a5662
Allow systemd-modules-load to search kernel keys
...
I was seeing the following errors from systemd-modules-load without this search permission.
Dec 7 14:36:19 systemd-modules-load: Failed to insert 'nf_conntrack_ftp': Required key not available
Dec 7 14:36:19 kernel: Request for unknown module key 'Red Hat Enterprise Linux kernel signing key: 3ffb026dadef6e0bc404752a7e7c29095a68eab7' err -13
Dec 7 14:36:19 systemd: systemd-modules-load.service: main process exited, code=exited, status=1/FAILURE
Dec 7 14:36:19 audispd: node=loacalhost type=PROCTITLE msg=audit(1607351779.441:3259): proctitle="/usr/lib/systemd/systemd-modules-load"
Dec 7 14:36:19 systemd: Failed to start Load Kernel Modules.
This is the denial:
Dec 7 15:56:52 audispd: node=localhost type=AVC msg=audit(1607356612.877:3815): avc: denied { search } for pid=11715 comm="systemd-modules" scontext=system_u:system_r:systemd_modules_load_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-12-08 10:51:44 -05:00
Chris PeBenito
699268ff41
init, systemd: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-04 13:32:57 -05:00
Chris PeBenito
b31d8308da
systemd: Rename systemd_connectto_socket_proxyd_unix_sockets() to systemd_stream_connect_socket_proxyd().
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-04 13:31:22 -05:00
Chris PeBenito
42b184c2a8
systemd: Whitespace changes.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-04 13:31:17 -05:00
Chris PeBenito
b4dd2ae0cc
Merge pull request #315 from galaxy4public/systemd-socket-proxyd
2020-12-04 13:29:55 -05:00
Chris PeBenito
8d7ea992e2
Merge pull request #322 from pebenito/github-actions
...
Switch to GitHub actions for CI actions.
2020-12-03 10:10:01 -05:00
Chris PeBenito
e7b9598865
Switch to GitHub actions for CI actions.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-12-03 10:07:05 -05:00
(GalaxyMaster)
c98d287fa3
added policy for systemd-socket-proxyd
...
Signed-off-by: (GalaxyMaster) <galaxy4public@users.noreply.github.com>
2020-12-02 17:38:00 +11:00
Chris PeBenito
fe29a74cad
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-11-22 14:03:11 -05:00
Jason Zaman
d03b8ffdf5
systemd: make remaining dbus_* optional
...
Almost all calls to dbus_ interfaces were already optional, this makes
the remaining one optional_policy so that the modules can be installed /
upgraded easier.
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jason Zaman
6dd6823280
init: upstream fcontexts from gentoo policy
...
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jason Zaman
c9880f52d5
Add transition on gentoo init_t to openrc
...
Commit "init: replace call to init_domtrans_script"
(be231899f5
in upstream repo)
removed the call to init_domtrans_script which removed the openrc
domtrans. This adds it back directly in the distro_gentoo block.
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jonathan Davies
b1927e9f39
init: Added fcontext for openrc-shutdown.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jonathan Davies
b7acd3c4f9
init: Added fcontext for openrc-init.
...
Signed-off-by: Jonathan Davies <jpds@protonmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jonathan Davies
1a39e4dfbe
portage: Added /var/cache/distfiles path.
...
Closes: https://github.com/perfinion/hardened-refpolicy/pull/1
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jason Zaman
0ad23a33ef
getty: allow watching file /run/agetty.reload
...
avc: denied { watch } for pid=2485 comm="agetty" path="/run/agetty.reload" dev="tmpfs" ino=22050 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:getty_runtime_t:s0 tclass=file permissive=0
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Jason Zaman
a98f25ce73
userdomain: Add watch on home dirs
...
avc: denied { watch } for pid=12351 comm="gmain" path="/usr/share/backgrounds/xfce" dev="zfs" ino=366749 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:usr_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11646 comm="gmain" path="/etc/fonts" dev="zfs" ino=237700 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:fonts_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/Desktop" dev="zfs" ino=33153 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:user_home_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12574 comm="gmain" path="/home/jason/.local/share/icc" dev="zfs" ino=1954514 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_data_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=11795 comm="gmain" path="/home/jason/.config/xfce4/panel/launcher-19" dev="zfs" ino=35464 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_config_t:s0 tclass=dir permissive=0
avc: denied { watch } for pid=12351 comm="gmain" path="/home/jason/downloads/pics" dev="zfs" ino=38173 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:xdg_downloads_t:s0 tclass=dir permissive=0
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
Signed-off-by: Jason Zaman <jason@perfinion.com>
2020-11-22 14:00:34 -05:00
Chris PeBenito
82c0b4dd3e
dbus: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-11-20 09:54:32 -05:00
Chris PeBenito
becac418b4
Merge pull request #318 from dburgener/dburgener/system-bus-bindmount
2020-11-20 09:54:08 -05:00
Daniel Burgener
47c495d6f1
Allow init to mount over the system bus
...
In portable profiles, systemd bind mounts the system bus into process
namespaces
Signed-off-by: Daniel Burgener <Daniel.Burgener@microsoft.com>
2020-11-13 14:44:22 +00:00
Chris PeBenito
f1b83f8ef4
lvm: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-11-09 11:45:32 -05:00
Chris PeBenito
67814510fc
Merge pull request #317 from gtrentalancia/master
2020-11-09 11:44:51 -05:00
Guido Trentalancia
7122154c19
Add LVM module permissions needed to open cryptsetup devices.
...
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/lvm.te | 2 ++
1 file changed, 2 insertions(+)
2020-11-09 15:43:01 +01:00
Chris PeBenito
aa8d432584
filesystem, xen: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-11-05 06:55:25 -05:00
Anthony PERARD
4f23a54b52
xen: Allow xenstored to map /proc/xen/xsd_kva
...
xenstored is using mmap() on /proc/xen/xsd_kva, and when the SELinux
boolean "domain_can_mmap_files" in CentOS is set to false the mmap()
call fails.
Signed-off-by: Anthony PERARD <anthony.perard@citrix.com>
2020-11-05 06:55:17 -05:00
Chris PeBenito
cc4cc5c66d
Merge pull request #314 from shammancer/patch-1
...
access_vectors: Add new capabilities to cap2
2020-10-25 15:21:56 -04:00
Dannick Pomerleau
b5bc33bc9c
access_vectors: Add new capabilities to cap2
...
Updated location of capability definitions to point to current location within kernel source code.
CAP_BPF and CAP_PERFMON mainlined in: cb8e59cc87201af93dfbb6c3dccc8fcad72a09c2, original commit: a17b53c4a4b55ec322c132b6670743612229ee9c
CAP_CHECKPOINT_RESTORE mainlined in: 74858abbb1032222f922487fd1a24513bbed80f9, original commit: 124ea650d3072b005457faed69909221c2905a1f
The missing capabilities were noticed on archlinux with kernel 5.8.14-arch1-1.
Signed-off-by: Dannick Pomerleau <dannickp@hotmail.com>
2020-10-15 20:55:35 -04:00
Chris PeBenito
493f56b59d
corosync, pacemaker: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-13 15:25:24 -04:00
Chris PeBenito
2507cd590d
Merge pull request #311 from dsugar100/corosync_pacemaker
2020-10-13 15:23:41 -04:00
Dave Sugar
871348f040
Allow pacemaker to map/read/write corosync shared memory files
...
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { read write } for pid=7173 comm="stonithd" name="qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2915): avc: denied { open } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145893.104:2916): avc: denied { map } for pid=7173 comm="stonithd" path="/dev/shm/qb-7065-7173-28-i3gF6U/qb-request-cmap-header" dev="tmpfs" ino=37263 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-10-13 13:44:18 -04:00
Dave Sugar
f36e39b45e
pacemaker systemd permissions
...
Allow pacemaker to get status of all running services and reload systemd
Sep 27 01:59:16 localhost audispd: node=virtual type=USER_AVC msg=audit(1601171956.494:2945): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Sep 29 01:46:09 localhost audispd: node=virtual type=USER_AVC msg=audit(1601343969.962:2974): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { reload } for auid=n/a uid=0 gid=0 cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=system exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Allow pacemaker to start/sotp all units (when enabled)
Sep 30 14:37:14 localhost audispd: node=virtual type=USER_AVC msg=audit(1601476634.877:3075): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { start } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/target-monitor@.service" cmdline="/usr/libexec/pacemaker/lrmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Allow for dynamic creation of unit files (with private type)
By using a private type pacemaker doesn't need permission to
read/write all init_runtime_t files.
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { write } for pid=5075 comm="lrmd" name="system" dev="tmpfs" ino=1177 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { add_name } for pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.759:3071): avc: denied { create } for pid=5075 comm="lrmd" name="target-monitor@my.service.d" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { create } for pid=5075 comm="lrmd" name="50-pacemaker.conf" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3072): avc: denied { write open } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Sep 30 14:37:14 localhost audispd: node=virtual type=AVC msg=audit(1601476634.761:3073): avc: denied { getattr } for pid=5075 comm="lrmd" path="/run/systemd/system/target-monitor@my.service.d/50-pacemaker.conf" dev="tmpfs" ino=48933 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-10-13 13:44:18 -04:00
Dave Sugar
428cc2ef9c
To get pacemaker working in enforcing
...
Allow pacemaker to map its shared memory
Sep 27 00:30:32 localhost audispd: node=virtual type=AVC msg=audit(1601166632.229:2936): avc: denied { map } for pid=7173 comm="cib" path="/dev/shm/qb-7173-7465-14-5Voxju/qb-request-cib_rw-header" dev="tmpfs" ino=39707 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_tmpfs_t:s0 tclass=file permissive=1
Label pacemaker private log file
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { write } for pid=7168 comm="pacemakerd" name="/" dev="tmpfs" ino=13995 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { add_name } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=dir permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { create } for pid=7168 comm="pacemakerd" name="pacemaker.log" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
Sep 26 18:44:56 localhost audispd: node=virtual type=AVC msg=audit(1601145892.788:2902): avc: denied { append open } for pid=7168 comm="pacemakerd" path="/var/log/pacemaker.log" dev="tmpfs" ino=32670 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:var_log_t:s0 tclass=file permissive=1
It writes to log, but also reads
Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.381:2892): avc: denied { read } for pid=7177 comm="pengine" name="pacemaker.log" dev="tmpfs" ino=35813 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:pacemaker_log_t:s0 tclass=file permissive=1
Pacemaker can read stuff in /usr/share/pacemaker/
Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { read } for pid=7173 comm="cib" name="pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Sep 27 00:30:30 localhost audispd: node=virtual type=AVC msg=audit(1601166628.383:2893): avc: denied { open } for pid=7173 comm="cib" path="/usr/share/pacemaker/pacemaker-2.10.rng" dev="dm-0" ino=76508 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
pacemaker dbus related stuff
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { write } for pid=7175 comm="lrmd" name="system_bus_socket" dev="tmpfs" ino=13960 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:system_dbusd_runtime_t:s0 tclass=sock_file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.761:2953): avc: denied { connectto } for pid=7175 comm="lrmd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.763:2954): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=7175 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.764:2955): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LoadUnit dest=org.freedesktop.systemd1 spid=7175 tpid=1 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Sep 27 00:30:50 localhost audispd: node=virtual type=USER_AVC msg=audit(1601166650.767:2959): pid=2798 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.12 spid=1 tpid=7175 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=dbus exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Pacemaker execute network monitoring
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2962): avc: denied { getattr } for pid=7581 comm="which" path="/usr/sbin/arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.778:2963): avc: denied { execute } for pid=7551 comm="ethmonitor" name="arping" dev="dm-0" ino=25739 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:netutils_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.766:2956): avc: denied { getattr } for pid=7556 comm="which" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.767:2957): avc: denied { execute } for pid=7541 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2960): avc: denied { read } for pid=7582 comm="IPaddr2" name="ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { open } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { execute_no_trans } for pid=7582 comm="IPaddr2" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.777:2961): avc: denied { map } for pid=7582 comm="ip" path="/usr/sbin/ip" dev="dm-0" ino=25853 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:ifconfig_exec_t:s0 tclass=file permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { nlmsg_write } for pid=7617 comm="ip" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=netlink_route_socket permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.796:2965): avc: denied { net_admin } for pid=7617 comm="ip" capability=12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
Update pacemaker process perms
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.729:2950): avc: denied { getsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 27 00:30:50 localhost audispd: node=virtual type=AVC msg=audit(1601166650.730:2951): avc: denied { setsched } for pid=7537 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 27 00:30:59 localhost audispd: node=virtual type=AVC msg=audit(1601166659.606:2967): avc: denied { signull } for pid=7178 comm="crmd" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
pacemaker network communication
Sep 29 01:46:08 localhost audispd: node=virtual type=AVC msg=audit(1601343968.444:2963): avc: denied { node_bind } for pid=7681 comm="send_arp" saddr=192.168.11.12 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:node_t:s0 tclass=udp_socket permissive=1
Sep 29 02:08:25 localhost audispd: node=virtual type=AVC msg=audit(1601345305.150:3137): avc: denied { net_raw } for pid=8317 comm="send_arp" capability=13 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=capability permissive=1
Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3094): avc: denied { getcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Sep 30 13:43:16 localhost audispd: node=virtual type=AVC msg=audit(1601473396.111:3095): avc: denied { setcap } for pid=6144 comm="arping" scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:system_r:pacemaker_t:s0 tclass=process permissive=1
Let pacemaker exec lib_t files
Oct 1 14:48:25 localhost audispd: node=virtual type=AVC msg=audit(1601563705.848:2242): avc: denied { execute_no_trans } for pid=6909 comm="crm_resource" path="/usr/lib/ocf/resource.d/heartbeat/IPsrcaddr" dev="dm-0" ino=82111 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Oct 1 15:01:31 localhost audispd: node=virtual type=AVC msg=audit(1601564491.091:2353): avc: denied { execute_no_trans } for pid=8285 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/ethmonitor" dev="dm-0" ino=82129 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Oct 1 14:49:21 localhost audispd: node=virtual type=AVC msg=audit(1601563761.158:2265): avc: denied { execute_no_trans } for pid=7307 comm="lrmd" path="/usr/lib/ocf/resource.d/heartbeat/IPaddr2" dev="dm-0" ino=82110 scontext=system_u:system_r:pacemaker_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-10-13 13:43:41 -04:00
Dave Sugar
ea1e0e7a9b
Updates for corosync to work in enforcing
...
Allow corosync to map its own shared memory
Sep 26 18:45:02 localhost audispd: node=virtual type=AVC msg=audit(1601145902.400:2972): avc: denied { map } for pid=6903 comm="corosync" path="/dev/shm/qb-6903-7028-31-FGGoGv/qb-request-cmap-header" dev="tmpfs" ino=40759 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:corosync_tmpfs_t:s0 tclass=file permissive=1
Setup corosync lock file type
Sep 27 17:20:07 localhost audispd: node=virtual type=PATH msg=audit(1601227207.522:3421): item=1 name="/var/lock/subsys/corosync" inode=35029 dev=00:14 mode=0100640 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_lock_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc: denied { read } for pid=6748 comm="corosync" name="lock" dev="dm-0" ino=13082 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=lnk_file permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.093:2862): avc: denied { search } for pid=6748 comm="corosync" name="lock" dev="tmpfs" ino=10248 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { add_name } for pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=dir permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { create } for pid=7066 comm="touch" name="corosync" scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
Sep 27 17:34:49 localhost audispd: node=virtual type=AVC msg=audit(1601228085.797:2882): avc: denied { write open } for pid=7066 comm="touch" path="/run/lock/subsys/corosync" dev="tmpfs" ino=35048 scontext=system_u:system_r:corosync_t:s0 tcontext=system_u:object_r:var_lock_t:s0 tclass=file permissive=1
On RHEL7 systemd executes '/usr/share/corosync/corosync start' to start, label these files.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
2020-10-13 10:28:00 -04:00
Chris PeBenito
14a45a594b
devices, filesystem, systemd, ntp: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-09 09:45:11 -04:00
Chris PeBenito
785677771d
Merge pull request #313 from bootlin/buildroot-systemd-fixes
2020-10-09 09:42:40 -04:00
Chris PeBenito
b5525a3fca
systemd: Move systemd-pstore block up in alphabetical order.
...
No rule change.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-10-09 09:42:31 -04:00