selinux-refpolicy

History

Nicolas Iooss 4aa9acca0a sysadm: allow resolving dynamic users On a virtual machine using haveged daemon, running "ps" from a sysadm_t user leads to the following output: $ ps -eH -o label,user,pid,cmd ... system_u:system_r:init_t root 1 /sbin/init system_u:system_r:syslogd_t root 223 /usr/lib/systemd/systemd-journald system_u:system_r:lvm_t root 234 /usr/bin/lvmetad -f system_u:system_r:udev_t root 236 /usr/lib/systemd/systemd-udevd system_u:system_r:entropyd_t 65306 266 /usr/bin/haveged --Foreground --verbose=1 User 65306 is a dynamic user attributed by systemd: $ cat /var/run/systemd/dynamic-uid/65306 haveged Running ps leads to the following log: type=USER_AVC msg=audit(1549830356.959:1056): pid=278 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=LookupDynamicUserByUID dest=org.freedesktop.systemd1 spid=12038 tpid=1 scontext=sysadm_u:sysadm_r:sysadm_t tcontext=system_u:system_r:init_t tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' Allow sysadm_t to resolve dynamic users when systemd is used. After this, "ps" works fine: system_u:system_r:entropyd_t haveged 266 /usr/bin/haveged --Foreground --verbose=1		2019-02-12 21:43:08 +01:00
..
auditadm.fc	trunk: Move user roles into individual modules.	2008-04-29 13:58:34 +00:00
auditadm.if	trunk: merge UBAC.	2008-11-05 16:10:46 +00:00
auditadm.te	Sort capabilities permissions from Russell Coker.	2017-02-15 18:47:33 -05:00
dbadm.fc	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
dbadm.if	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
dbadm.te	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
guest.fc	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
guest.if	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
guest.te	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
logadm.fc	trunk: 6 patches from dan.	2009-03-19 17:56:10 +00:00
logadm.if	trunk: whitespace fixes	2009-06-26 14:40:13 +00:00
logadm.te	Sort capabilities permissions from Russell Coker.	2017-02-15 18:47:33 -05:00
metadata.xml	trunk: Move user roles into individual modules.	2008-04-29 13:58:34 +00:00
secadm.fc	trunk: Move user roles into individual modules.	2008-04-29 13:58:34 +00:00
secadm.if	trunk: merge UBAC.	2008-11-05 16:10:46 +00:00
secadm.te	Sort capabilities permissions from Russell Coker.	2017-02-15 18:47:33 -05:00
staff.fc	trunk: Move user roles into individual modules.	2008-04-29 13:58:34 +00:00
staff.if	trunk: merge UBAC.	2008-11-05 16:10:46 +00:00
staff.te	Bump module versions for release.	2019-02-01 15:03:42 -05:00
sysadm.fc	trunk: Move user roles into individual modules.	2008-04-29 13:58:34 +00:00
sysadm.if	trunk: add sysadm_entry_spec_domtrans_to() interface from clip.	2009-01-15 15:07:37 +00:00
sysadm.te	sysadm: allow resolving dynamic users	2019-02-12 21:43:08 +01:00
unprivuser.fc	trunk: Move user roles into individual modules.	2008-04-29 13:58:34 +00:00
unprivuser.if	trunk: merge UBAC.	2008-11-05 16:10:46 +00:00
unprivuser.te	Bump module versions for release.	2019-02-01 15:03:42 -05:00
webadm.fc	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
webadm.if	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
webadm.te	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
xguest.fc	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
xguest.if	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00
xguest.te	Move all files out of the old contrib directory.	2018-06-23 10:38:58 -04:00