libfuse 3.0 renamed fusermount to fusermount3 in order to allow both
libfuse 2 and libfuse 3 to be installed together:
695e45a4de
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
On a Debian 10 test virtual machine, when installing packages adds a
group, the following AVC occurs:
type=USER_AVC msg=audit(1578863991.588:575): pid=381 uid=104
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t
msg='avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.systemd1.Manager
member=LookupDynamicUserByName dest=org.freedesktop.systemd1
spid=13759 tpid=1 scontext=unconfined_u:unconfined_r:groupadd_t
tcontext=system_u:system_r:init_t tclass=dbus permissive=1
exe="/usr/bin/dbus-daemon" sauid=104 hostname=? addr=? terminal=?'
Allow groupadd to use nss-systemd, which calls DBUS method
LookupDynamicUserByName().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
systemd's Name Service Switch (NSS) module provides UNIX user and group
name resolution for dynamic users and groups allocated through options
such as DynamicUser= in systemd unit files, according to its man page,
https://github.com/systemd/systemd/blob/v244/man/nss-systemd.xml.
If systemd compiled without NOLEGACY, commit
24eccc3414
("nss-systemd,user-util: add a way how synthesizing "nobody" can be
turned off") implemented a way to tweak nss-systemd's behavior by
checking whether /etc/systemd/dont-synthesize-nobody exists. Allow this
access.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
When an unconfined user runs wine, there is an issue because
wine_domtrans() causes a transition to unconfined_u:unconfined_r:wine_t
without unconfined_r being associated with wine_t:
type=SELINUX_ERR msg=audit(1579963774.148:1047):
op=security_compute_sid
invalid_context="unconfined_u:unconfined_r:wine_t"
scontext=unconfined_u:unconfined_r:wine_t
tcontext=system_u:object_r:wine_exec_t tclass=process
This is fixed with "roleattribute unconfined_r wine_roles;", which is
provided by interface wine_run().
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Looking at all audit versions in gentoo (2.8.5 to 2.6.4) every single one of them has `var/log/audit` as a directory and not as a file.
Tested on gentoo.
example for querying their state, enabling and/or disabling
them using userspace tools such as "rfkill" from util-linux).
See also:
https://wireless.wiki.kernel.org/en/users/documentation/rfkill
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
policy/modules/system/userdomain.if | 1 +
1 file changed, 1 insertion(+)
Add interface similar to files_mountpoint() and add a conditional which
allows mount on non_security_file_type.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
