75c2805313
Update mysql.fc
...
Signed-off-by: nisbet-hubbard <87453615+nisbet-hubbard@users.noreply.github.com>
2024-09-15 07:58:57 +08:00
a0f8bd4ff7
Merge pull request #807 from dsugar100/main
...
Additional permissions when fapolicyd.conf more strict
2024-09-13 11:35:57 -04:00
70b06f1618
Additional permissions when fapolicyd.conf more strict
...
When fapolicyd is configured with allow_filesystem_mark = 1 it watches filesysems and mount points
When fapolicyd is configured with integrituy = sha256 it mmaps files to perform hash
node=localhost type=AVC msg=audit(1726153668.013:418): avc: denied { watch } for pid=1561 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
node=localhost type=AVC msg=audit(1726154081.718:403): avc: denied { watch } for pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
node=localhost type=AVC msg=audit(1726154081.718:403): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.718:402): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.721:404): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/boot" dev="sda2" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.722:406): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/var" dev="dm-9" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154706.227:415): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/bin/kmod" dev="dm-1" ino=14600 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154743.367:999): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/lib/systemd/systemd" dev="dm-1" ino=17564 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154743.403:1030): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/bin/bash" dev="dm-1" ino=3571 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154807.975:476): avc: denied { map } for pid=1599 comm="fapolicyd" path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator" dev="dm-1" ino=17589 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:systemd_generator_exec_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2024-09-13 11:14:28 -04:00
351a5a7f4d
Merge pull request #805 from yizhao1/systemd-v256
...
Fixes for systemd v256
2024-09-11 14:36:58 -04:00
c20cf22142
systemd: allow systemd-hostnamed to read vsock device
...
Fixes:
avc: denied { read } for pid=463 comm="systemd-hostnam" name="vsock"
dev="devtmpfs" ino=170 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-09-10 15:45:32 +08:00
4f3437040a
systemd: fix policy for systemd-ssh-generator
...
Fixes:
avc: denied { getattr } for pid=121 comm="systemd-ssh-gen"
path="/usr/sbin/sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1
avc: denied { execute } for pid=121 comm="systemd-ssh-gen"
name="sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1
avc: denied { create } for pid=121 comm="systemd-ssh-gen"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=vsock_socket
permissive=1
avc: denied { read } for pid=121 comm="systemd-ssh-gen" name="vsock"
dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
avc: denied { open } for pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
avc: denied { ioctl } for pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152 ioctlcmd=0x7b9
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-09-10 14:37:49 +08:00
d852b75403
devices: add label vsock_device_t for /dev/vsock
...
Vsock is a Linux socket family designed to allow communication between a
VM and its hypervisor. Add a new label vsock_device_t for vsock device.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-09-10 14:37:46 +08:00
a4a7b830fe
systemd: add policy for systemd-nsresourced
...
The systemd-nsresourced service was added in systemd v256[1]. Add policy
for this service and allow all domains to connect to it over unix
socket.
Fixes:
avc: denied { connectto } for pid=325 comm="avahi-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:initrc_t
tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=327 comm="dbus-daemon"
name="io.systemd.NamespaceResource" dev="tmpfs" ino=54
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1
avc: denied { connectto } for pid=327 comm="dbus-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
avc: denied { connectto } for pid=200 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
avc: denied { connectto } for pid=198 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
[1] 8aee931e7a
2024-09-10 14:36:43 +08:00
47081be472
systemd: allow system --user to create netlink_route_socket
...
Fixes:
avc: denied { create } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { getopt } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { setopt } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { bind } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { getattr } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { write } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { nlmsg_read } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { read } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { sendto } for pid=378 comm="(ystemctl)"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=unix_dgram_socket
permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-09-03 09:41:52 +08:00
78cacc7088
systemd: allow systemd-networkd to manage sock files under /run/systemd/netif
...
Fixes:
avc: denied { create } for pid=344 comm="systemd-network"
name="io.systemd.Network" scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_networkd_runtime_t tclass=sock_file
permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-09-03 09:41:49 +08:00
29d0bb8c33
systemd: set context to systemd_networkd_var_lib_t for /var/lib/systemd/network
...
Fixes:
avc: denied { read } for pid=344 comm="systemd-network"
path="/var/lib/systemd/network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1
avc: denied { write } for pid=344 comm="systemd-network"
name="network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1
avc: denied { getattr } for pid=344 comm="systemd-network"
path="/var/lib/systemd/network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-09-03 09:41:47 +08:00
6d29eb2388
Merge pull request #806 from gtrentalancia/netlabel_fix
...
Allow interactive user terminal output for the NetLabel management tool
2024-08-28 12:08:59 -04:00
22fd3ddad4
Allow interactive user terminal output for the
...
NetLabel management tool.
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/netlabel.te | 2 ++
1 file changed, 2 insertions(+)
2024-08-27 14:34:42 +02:00
faa409e9f4
Merge pull request #801 from 0xC0ncord/various/20240807
...
Various fixes
2024-08-21 10:25:47 -04:00
33cfaeb417
Merge pull request #804 from pebenito/quic_nakella-dbus-bluetooth-helper
...
Adding SE Policy rules to allow usage of unix stream sockets by dbus …
2024-08-19 08:56:29 -04:00
c1284c6019
bluetooth: Move line.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2024-08-19 08:19:48 -04:00
50a5555f2f
Adding SE Policy rules to allow usage of unix stream sockets by dbus and bluetooth contexts when Gatt notifications are turned on by remote.
...
Below are the avc denials that are resolved -
1. AVC avc: denied { use } for pid=916 comm="dbus-daemon"
path="socket:[71126]" dev="sockfs" ino=71126
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=fd permissive=0
2. AVC avc: denied { read write } for pid=913 comm="dbus-daemon"
path="socket:[25037]" dev="sockfs" ino=25037
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
3. AVC avc: denied { use } for pid=910 comm="bluetoothd"
path="socket:[23966]" dev="sockfs" ino=23966
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=fd permissive=0
4. AVC avc: denied { read write } for pid=2229 comm="bluetoothd"
path="socket:[27264]" dev="sockfs" ino=27264
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
2024-08-19 08:15:10 -04:00
2b8fa2b4ab
kubernetes: allow kubelet to connect all TCP ports
...
For pod health checks.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-16 14:38:37 -04:00
9ab94df30d
container: allow reading generic certs
...
There are cases where one may want to mount certs on the host into a
container.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-16 14:38:19 -04:00
274de5bb5d
Merge pull request #802 from 0xC0ncord/kubevirt
...
Add policy for KubeVirt
2024-08-16 14:21:53 -04:00
b15f50a428
Merge pull request #803 from cgzones/quotes
...
Makefile: drop duplicate quotes
2024-08-16 14:02:54 -04:00
7530dfa3c6
testing: add container_kvm_t to net admin exempt list
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-14 10:14:33 -04:00
47eced9be5
Makefile: drop duplicate quotes
...
The variable is used quoted.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2024-08-10 22:40:31 +02:00
b0b0d52dd6
various: rules required for DV manipulation in kubevirt
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-09 15:36:57 -04:00
21e4a44c0c
container: add container_kvm_t and supporting kubevirt rules
...
container_kvm_t is the type for containers with access to KVM for
running virtual machines.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-09 15:30:01 -04:00
a9bd177bbb
iptables: allow reading container engine tmp files
...
When multus creates a new network, iptables rules get written to /tmp
and iptables will be called to load them.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-09 15:23:24 -04:00
af0b408246
container: allow spc various rules for kubevirt
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-09 15:21:18 -04:00
d585f08c27
container, kubernetes: add supporting rules for kubevirt and multus
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-09 15:14:27 -04:00
9f37f86b21
dbus: dontaudit session bus domains the netadmin capability
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-07 16:55:28 -04:00
d9ca32f5ae
container: allow super privileged containers to manage BPF dirs
...
Seen on a recent update to Cilium.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-07 16:54:09 -04:00
1900fbe681
kubernetes: allow kubelet to create unlabeled dirs
...
When kubelet sets up a container that 1) has mountpoints using subPath
directories and 2) has a volume that is newly provisioned and not yet
relabeled, kubelet will create the mountpoint directories on this volume
before relabeling it. Allow kubelet to create these directories.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-07 16:51:38 -04:00
b9c8ba607c
haproxy: allow interactive usage
...
Allow haproxy to be run interactively, e.g. to test its config file and
report errors.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-07 16:48:24 -04:00
846804c58a
podman: allow managing init runtime units
...
Containers created via quadlet become runtime units. Podman auto-update
can still restart these, but it needs the appropriate access.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-07 16:43:28 -04:00
8787b3d8d5
iptables: allow reading usr files
...
The nftables program reads files in /usr/share/iproute2.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-08-07 16:12:15 -04:00
71f4bd1992
Merge pull request #799 from dsseng/gadgetfs-usbfs
...
filesystem, devices: move gadgetfs to usbfs_t
2024-07-22 09:17:22 -04:00
a6cf207363
filesystem, devices: move gadgetfs to usbfs_t
...
It is a USB Gadget config pseudo-FS, not a network nor distributed FS
Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
2024-07-20 20:37:47 +03:00
1b11d94cd7
Merge pull request #792 from yizhao1/systemd
...
systemd: make xdg optional
2024-07-12 08:28:35 -04:00
75492f95f7
systemd: make xdg optional
...
Make xdg optional to avoid a potential build error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-07-12 19:23:06 +08:00
302e66507a
Merge pull request #794 from 0xC0ncord/main
...
systemd: allow logind to use locallogin pidfds
2024-07-10 10:19:43 -04:00
b65469f826
Merge pull request #793 from 0xC0ncord/sshd-session
...
sshd: label sshd-session as sshd_exec_t
2024-07-10 10:19:15 -04:00
097d688ff8
sshd: label sshd-session as sshd_exec_t
...
OpenSSH 9.8 splits out much of the session code from the main sshd
binary into a new sshd-session binary. Allow the sshd server to execute
this binary by labeling it as sshd_exec_t.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-07-05 14:47:47 -04:00
6cacc4871a
Merge pull request #791 from pebenito/quic_nakella-bluetoothctl
...
Setting bluetooth helper domain for bluetoothctl
2024-07-01 15:24:37 -04:00
b3c272d6ac
Merge pull request #790 from pebenito/quic_rbujala-pulseaudio
...
Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.
2024-07-01 15:17:54 -04:00
73c2c68ee7
Merge pull request #789 from yizhao1/update
...
userdomain: allow administrative user to get attributes of shadow his…
2024-07-01 15:12:24 -04:00
b57b6005c5
Setting bluetooth helper domain for bluetoothctl
...
Required for fixing the below avc denials -
1. audit: type=1400 audit(1651238006.276:496):
avc: denied { read write } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
2. audit: type=1400 audit(1651238006.276:497):
avc: denied { getattr } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
3. audit: type=1400 audit(1651238006.272:495):
avc: denied { read write } for pid=689 comm="dbus-daemon"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
4. audit[1894]: AVC avc: denied { read write } for pid=1894
comm="bluetoothctl" path="/dev/pts/0" dev="devpts" ino=3
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:object_r:initrc_devpts_t:s0
tclass=chr_file permissive=0
5. audit[2022]: AVC avc: denied { use } for pid=2022
comm="bluetoothctl" path="socket:[25769]" dev="sockfs" ino=25769
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
6. audit[2006]: AVC avc: denied { read write } for pid=2006
comm="bluetoothctl" path="socket:[21106]" dev="sockfs" ino=21106
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
2024-07-01 14:48:07 -04:00
30f451d6a4
Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.
...
pulseaudio uses bluetooth sockets for HFP-AG and
HSP-HS profile to do SLC and SCO connection with
remote.
avc: denied { create } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { bind } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { listen } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { accept } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { getopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { setopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { read } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { write } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { shutdown } for pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { connect } for pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
Signed-off-by: Raghavender Reddy Bujala <quic_rbujala@quicinc.com>
2024-07-01 14:46:40 -04:00
7037c341fb
systemd: allow logind to use locallogin pidfds
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-07-01 09:42:33 -04:00
5f7f494d19
userdomain: allow administrative user to get attributes of shadow history file
...
Before the patch:
root@qemux86-64:~# ls -lZ /etc/security/opasswd
-?????????? ? ? ? ? ? ? /etc/security/opasswd
After the patch:
root@qemux86-64:~# ls -lZ /etc/security/opasswd
-rw-------. 1 root root user_u:object_r:shadow_history_t 237 Jun 30 12:03 /etc/security/opasswd
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-06-30 22:27:12 +08:00
7c797909a2
Merge pull request #787 from 0xC0ncord/various/20240515
...
Various fixes
2024-06-28 13:25:54 -04:00
0126cb1e66
node_exporter: allow reading RPC sysctls
...
For NFS mounts.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 12:21:42 -04:00
nisbet-hubbard
Chris PeBenito
Dave Sugar
Yi Zhao
Guido Trentalancia
Naga Bhavani Akella
Kenton Groombridge
Christian Göttsche
Dmitry Sharshakov
Raghavender Reddy Bujala