In order to be able to invoke /usr/bin/mount, /usr/bin/fusermount, etc.
callers need to be able to search /usr/bin. Otherwise, such denials are
recorded:
type=AVC msg=audit(1576534518.220:1320): avc: denied { search }
for pid=24067 comm="cryfs" name="bin" dev="vda1" ino=524829
scontext=sysadm_u:sysadm_r:cryfs_t tcontext=system_u:object_r:bin_t
tclass=dir permissive=0
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
I'm seeing the following error while starting rsyslog:
Nov 17 02:01:38 localhost rsyslogd: cannot create '/run/systemd/journal/syslog': Permission denied [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: imuxsock does not run because we could not aquire any socket [v8.24.0-41.el7_7.2]
Nov 17 02:01:38 localhost rsyslogd: activation of module imuxsock failed [v8.24.0-41.el7_7.2]
With the following denials:
type=AVC msg=audit(1573958708.773:1896): avc: denied { create } for pid=2347 comm="rsyslogd" name="syslog" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
type=AVC msg=audit(1573958708.773:1897): avc: denied { setattr } for pid=2347 comm="rsyslogd" name="syslog" dev="tmpfs" ino=19368 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=sock_file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
When alsactl is running as a daemon with systemd, it sets its process
priority to be nice to other processes. When stopping the service, it's
signaling to itself that it needs to exit.
----
time->Sun Oct 6 11:59:59 2019
type=AVC msg=audit(1570355999.755:43): avc: denied { setsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct 6 11:59:59 2019
type=AVC msg=audit(1570355999.755:44): avc: denied { getsched } for pid=794 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
----
time->Sun Oct 6 12:07:26 2019
type=AVC msg=audit(1570356446.747:292): avc: denied { signal } for pid=3585 comm="alsactl" scontext=system_u:system_r:alsa_t:s0 tcontext=system_u:system_r:alsa_t:s0 tclass=process permissive=1
Signed-off-by: Laurent Bigonville <bigon@bigon.be>
"is" is for testing two references are the same object. The fact that this
worked is specific to the Python implementation.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
fc_sort is the only/last build tool that requires a C compiler
Re-implement it in python, so that gcc dependencies can be dropped
The output of the C and the python version differ slightly in the order of equally specific file contexts
old:
/.* system_u:object_r:default_t
/sys(/.*)? system_u:object_r:sysfs_t
/mnt(/[^/]*) -l system_u:object_r:mnt_t
/mnt(/[^/]*)? -d system_u:object_r:mnt_t
/opt/.* system_u:object_r:usr_t
/var/.* system_u:object_r:var_t
/usr/.* system_u:object_r:usr_t
/srv/.* system_u:object_r:var_t
/tmp/.* <<none>>
/run/.* <<none>>
/dev/.* system_u:object_r:device_t
/etc/.* system_u:object_r:etc_t
new:
/.* system_u:object_r:default_t
/sys(/.*)? system_u:object_r:sysfs_t
/mnt(/[^/]*) -l system_u:object_r:mnt_t
/mnt(/[^/]*)? -d system_u:object_r:mnt_t
/dev/.* system_u:object_r:device_t
/etc/.* system_u:object_r:etc_t
/opt/.* system_u:object_r:usr_t
/run/.* <<none>>
/srv/.* system_u:object_r:var_t
/tmp/.* <<none>>
/usr/.* system_u:object_r:usr_t
/var/.* system_u:object_r:var_t
On Arch Linux, /proc/sys/kernel/core_pattern contains:
|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
When a crash happens in a userspace application, this setting makes the
kernel spawn /usr/lib/systemd/systemd-coredump from kernel_t:
type=AVC msg=audit(1569910108.877:336): avc: denied { execute }
for pid=1087 comm="kworker/u2:3" name="systemd-coredump" dev="vda1"
ino=406365 scontext=system_u:system_r:kernel_t
tcontext=system_u:object_r:systemd_coredump_exec_t tclass=file
permissive=1
Introduce a transition to systemd_coredump_t to handle this.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Now that all issues reported by testing/check_fc_files.py have been
fixed, call this script in Travis-CI in order to prevent common errors
from being introduced in .fc files.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>