nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,106 Commits 1 Branch 0 Tags 16 MiB
d48b57a5bd
Commit Graph

4845 Commits

Author SHA1 Message Date
Chris PeBenito
d48b57a5bd
Merge pull request #763 from cgzones/dnl_space 
libraries: drop space in empty line
 2024-02-23 13:18:44 -05:00
Christian Göttsche
8f9be7c635 libraries: drop space in empty line 
Drop a line containing a single space from the file context file to
avoid SELint stumble on it:

    libraries.mod.fc:   130: (E): Bad file context format (E-002)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 18:04:11 +01:00
Christian Göttsche
b8ad74030f consolesetup: update 
AVC avc:  denied  { read } for  pid=770 comm="mkdir" name="filesystems" dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
859f90be12 systemd: logind update 
type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) : proctitle=/usr/lib/systemd/systemd-logind
    type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64 syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc:  denied  { use } for  pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1

p.s.: this might need an overhaul after pidfd handling in the kernel has
been improved.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
06927582c8 udev: update 
AVC avc:  denied  { create } for  pid=685 comm="ifquery" name="network" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
395f5cb588 systemd: generator updates 
type=1400 audit(1708552475.580:3): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/etc/init.d/auditd" dev="vda1" ino=262124 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_initrc_exec_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:4): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/auditd.service" dev="vda1" ino=395421 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:5): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/etc/init.d/vnstat" dev="vda1" ino=261247 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_initrc_exec_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:6): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/vnstat.service" dev="vda1" ino=394196 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:7): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/dbus-broker.service" dev="vda1" ino=394383 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:dbusd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.584:8): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/qemu-guest-agent.service" dev="vda1" ino=392981 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:qemu_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.584:9): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/ssh.service" dev="vda1" ino=393521 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:sshd_unit_t:s0 tclass=file permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
206bdcb6d3 fs: add support for virtiofs 
Adopted from 5580e9a576

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
1816085864 vnstatd: update 
type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) : proctitle=/usr/sbin/vnstatd -n
    type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/
    type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc:  denied  { open } for  pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
    type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc:  denied  { read } for  pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
fa7004426f systemd: binfmt updates 
type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : proctitle=/usr/lib/systemd/systemd-binfmt
    type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc:  denied  { getattr } for  pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1

    type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : proctitle=/usr/lib/systemd/systemd-binfmt
    type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/
    type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc:  denied  { write } for  pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
6992e200ac fs: mark memory pressure type as file 
Associate the type memory_pressure_t with the attribute file_type, so
all attribute based rules apply, e.g. for unconfined_t.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
088bf3ab5d userdom: permit reading PSI as admin 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
7879c6a0db selinuxutil: ignore getattr proc in newrole 
type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r sysadm_r
    type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0 items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc:  denied  { getattr } for  pid=1001 comm=newrole name=/ dev=proc ino=1 scontext=root:staff_r:newrole_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
ef0f55827d selinuxutil: setfiles updates 
type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon -vRn -T0 /
    type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64 syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0 a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc:  denied  { getsched } for  pid=13398 comm=restorecon scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process permissive=1

    type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon -vRn -T0 /
    type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0 name=/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:31:55.040:123) : cwd=/root/workspace/selinux/refpolicy/refpolicy
    type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530 a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc:  denied  { getattr } for  pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure dev="cgroup2" ino=2455 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1

    type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon -vRFn -T0 /usr/
    type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0 name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:32:15.512:126) : cwd=/root/workspace/selinux/refpolicy/refpolicy
    type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc:  denied  { open } for  pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1
    type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc:  denied  { read } for  pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:16:44 +01:00
Christian Göttsche
441d71d7ae virt: label qemu configuration directory 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:16:44 +01:00
Chris PeBenito
0c41682fc4 cloudinit: Add permissions derived from sysadm. 
Allow a similar amount of admin capability to cloud-init as sysadm.  Also add
a tunable to allow non-security file management for fallback.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-22 09:13:38 -05:00
Chris PeBenito
65dfbda501 systemd: Updates for systemd-locale. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
34afd8343c cloud-init: Change udev rules 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
758f819529 cloud-init: Add systemd permissions. 
Additional access for controlling systemd units and logind dbus chat.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
7213dcf3a7 cloud-init: Allow use of sudo in runcmd. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
2e981f1790 chronyd: Read /dev/urandom. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
2e3cb74315 unconfined: Add remaining watch_* permissions. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
92587eddb3 usermanage: Handle symlinks in /usr/share/cracklib. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
0b77fe85c6 kdump: Fixes from testing kdumpctl. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
14b555b02b cloudinit: Add support for installing RPMs and setting passwords. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
e5dc0d6a36 files: Handle symlinks for /media and /srv. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
5df7c1e4b6 usermanage: Add sysctl access for groupadd to get number of groups. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
4d57ab1efb sysnetwork: ifconfig searches debugfs. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
df179e7f85 selinuxutil: Semanage reads policy for export. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
13574c3d4d init: Allow nnp/nosuid transitions from systemd initrc_t. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
45f5a5a8e0 rpm: Minor fixes 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
59136d8a7c systemd: Minor coredump fixes. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
21d7f4415e Container: Minor fixes from interactive container use. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
86bea43c43 kernel: hv_utils shutdown on systemd systems. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
d1ec6f1b9f systemd: systemd-cgroups reads kernel.cap_last_cap sysctl. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
56e33b7e42 domain: Manage own fds. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-02-21 16:45:39 -05:00
Kenton Groombridge
1c534f04b5 kubernetes: allow kubelet to apply fsGroup to persistent volumes 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:33:39 -05:00
Kenton Groombridge
fa3cf4f197 container: allow spc to map kubernetes runtime files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:33:39 -05:00
Kenton Groombridge
fb548b6a72 crio: allow reading container home content 
CRI-O will read container registry configuration data from the running
user's home (root) and will abort if unable to do so.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
4634f7a0fe systemd: allow systemd generator to list exports 
This is needed now that /etc/exports.d is labeled appropriately.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
22b65cba5e dbus: allow the system bus to get the status of generic units 
dbus-broker checks the status of systemd-logind.

type=USER_AVC msg=audit(1705109503.237:123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=101 path="/usr/lib /systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
6d5271cb18 rpc: fix not labeling exports.d directory 
Fix the filecon for /etc/exports.d to also label the directory itself.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:24 -05:00
Kenton Groombridge
f0fc6cd236 bootloader, init, udev: misc minor fixes 
Resolve these AVCs seen during early boot with systemd 255:

Jan 12 15:42:02 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092122.714:4): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

Jan 12 15:42:03 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092123.656:7): avc:  denied  { setrlimit } for  pid=2578 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:udev_t:s0 tclass=process permissive=0

Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.960:9): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.961:10): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_udpport" dev="proc" ino=31905 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.963:11): avc:  denied  { write } for  pid=2632 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0

Jan 12 15:42:08 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092128.530:16): avc:  denied  { net_admin } for  pid=3033 comm="bootctl" capability=12  scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:bootloader_t:s0 tclass=capability permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:08 -05:00
Kenton Groombridge
85fc7fda17 systemd: label systemd-tpm2-setup as systemd-pcrphase 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
4e7511f4ac init: allow using system bus anon pidfs 
Seen with systemd 255. This initially did not seem to impact anything,
but after a while I found that the kubernetes kubelet agent would not
start without this access.

type=AVC msg=audit(1705092131.239:37): avc:  denied  { use } for  pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
29a5cc1abc kernel: allow managing mouse devices 
Seen with systemd 255.

type=AVC msg=audit(1705092132.309:64): avc:  denied  { getattr } for  pid=178 comm="kdevtmpfs" path="/input/mouse0" dev="devtmpfs" ino=328 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:52): avc:  denied  { setattr } for  pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:53): avc:  denied  { unlink } for  pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
fbbed63769 zfs: allow zfs to write to exports 
Needed by zfs-mount.service.

type=PROCTITLE msg=audit(1705092131.987:49): proctitle=2F7362696E2F7A6673007368617265002D61
type=SYSCALL msg=audit(1705092131.987:49): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=665f44189eba a2=80042 a3=180 items=0 ppid=1 pid=3082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zfs" exe="/usr/bin/zfs" subj=system_u:system_r:zfs_t:s0 key=(null)
type=AVC msg=audit(1705092131.987:49): avc:  denied  { write } for  pid=3082 comm="zfs" name="zfs.exports.lock" dev="dm-0" ino=1296 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:exports_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
8ef4c98c77 systemd: label systemd-pcrlock as systemd-pcrphase 
Label the systemd-pcrlock binary as systemd_pcrphase_exec_t.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:52 -05:00
Kenton Groombridge
29d02c3efa kubernetes: fix kubelet accounting 
The kubelet routinely measures metrics and accounting for all
containers which involves calculating resource utilization for both
running containers and the contents of their images on disk.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:25 -05:00
Kenton Groombridge
2912f56e88 container, kubernetes: allow kubernetes to use fuse-overlayfs 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:24 -05:00
Kenton Groombridge
489051ff99 systemd: add policy for systemd-machine-id-setup 
systemd-machine-id-setup's role is to commit the host's machine id
to /etc/machine-id. The behavior of this process has changed slightly,
whereby a tmpfs is temporarily created on top of /etc/machine-id during
boot which is then read by systemd-machine-id-setup and written directly
to the underlying file.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:29:43 -05:00