Update SOS report to work on RHEL9
binary is now /usr/sbin/sos
Cleanup "invalid security context" type errors
Allow read/write user ptty
node=destination type=AVC msg=audit(1709914012.455:7495): avc: denied { read write } for pid=2214 comm="sos" path="/dev/pts/0" dev="devpts" ino=3 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
node=destination type=AVC msg=audit(1709914012.527:7512): avc: denied { ioctl } for pid=2214 comm="sos" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5401 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
node=destination type=AVC msg=audit(1709928066.892:80267): avc: denied { create } for pid=3998 comm="mkfifo" name="systemd-cat" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80269): avc: denied { write } for pid=3968 comm="dracut" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80269): avc: denied { open } for pid=3968 comm="dracut" path="/var/tmp/dracut.GUBZQZ/systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80281): avc: denied { read } for pid=3999 comm="dracut" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928068.848:94243): avc: denied { unlink } for pid=4049 comm="rm" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928080.775:126505): avc: denied { create } for pid=2229 comm="sos" name="lvmpolld.socket" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=sock_file permissive=1
node=destination type=AVC msg=audit(1709928080.775:126510): avc: denied { setattr } for pid=2229 comm="sos" name="lvmpolld.socket" dev="dm-3" ino=138652 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=sock_file permissive=1
Allow sosreport to read SELinux booleans
node=destination type=AVC msg=audit(1709931730.500:181982): avc: denied { read } for pid=6578 comm="sestatus" name="aide_mmap_files" dev="selinuxfs" ino=33554432 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:boolean_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709931730.500:181982): avc: denied { open } for pid=6578 comm="sestatus" path="/sys/fs/selinux/booleans/aide_mmap_files" dev="selinuxfs" ino=33554432 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:boolean_t:s0 tclass=file permissive=1
Allow sosreport dbus send_msg
node=destination type=USER_AVC msg=audit(1709931682.344:10950): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931707.581:103764): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931711.203:109364): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker
node=destination type=USER_AVC msg=audit(1709931713.737:118226): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931741.992:218433): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931735.870:210757): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:devicekit_disk_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931742.051:218502): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'
UID="dbus" AUID="unset" SAUID="dbus"
Allow sosreport to get status of all units
node=destination type=USER_AVC msg=audit(1709951886.954:202544): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dm-event.socket" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:lvm_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951886.994:202604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dnf-makecache.timer" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:rpm_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951860.321:103971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/fwupd.service" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951889.117:209277): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-rfkill.service" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_rfkill_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
Allow sosreport to map some files
node=destination type=AVC msg=audit(1709951889.013:209184): avc: denied { map } for pid=6932 comm="lsusb" path="/etc/udev/hwdb.bin" dev="dm-0" ino=1180591 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951850.662:58892): avc: denied { map } for pid=3814 comm="journalctl" path="/var/log/journal/4fa8dbda531a499cb4bdf065a9b23471/user-1000@db7a3287b7234e07b839915b69371deb-000000000000110a-0006133115ceaa6d.journal" dev="dm-6" ino=262149 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Access SELinux stuff
node=destination type=AVC msg=audit(1709951851.398:60712): avc: denied { compute_av } for pid=3902 comm="crontab" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951864.926:110932): avc: denied { map } for pid=5345 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951883.687:182874): avc: denied { check_context } for pid=6675 comm="selinuxdefcon" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951883.763:183087): avc: denied { compute_create } for pid=6696 comm="selinuxexeccon" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951883.946:183609): avc: denied { map } for pid=6715 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951884.669:188960): avc: denied { read_policy } for pid=6703 comm="semanage" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
This commit is contained in:
Dave Sugar
parent
fa84ee8fc0
commit
3643773aed
|
|
@ -1,5 +1,6 @@
|
|||
/usr/bin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
|
||||
|
||||
/usr/sbin/sosreport -- gen_context(system_u:object_r:sosreport_exec_t,s0)
|
||||
/usr/sbin/sos -- gen_context(system_u:object_r:sosreport_exec_t,s0)
|
||||
|
||||
/\.ismount-test-file -- gen_context(system_u:object_r:sosreport_tmp_t,s0)
|
||||
|
|
|
|||
|
|
@ -39,8 +39,10 @@ allow sosreport_t self:tcp_socket { accept listen };
|
|||
allow sosreport_t self:unix_stream_socket { accept listen };
|
||||
|
||||
manage_dirs_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
|
||||
manage_fifo_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
|
||||
manage_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
|
||||
manage_lnk_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
|
||||
manage_sock_files_pattern(sosreport_t, sosreport_tmp_t, sosreport_tmp_t)
|
||||
files_root_filetrans(sosreport_t, sosreport_tmp_t, file, ".ismount-test-file")
|
||||
files_tmp_filetrans(sosreport_t, sosreport_tmp_t, { file dir })
|
||||
|
||||
|
|
@ -91,10 +93,17 @@ files_read_kernel_modules(sosreport_t)
|
|||
files_read_all_symlinks(sosreport_t)
|
||||
files_manage_etc_runtime_files(sosreport_t)
|
||||
files_etc_filetrans_etc_runtime(sosreport_t, file)
|
||||
files_map_usr_files(sosreport_t)
|
||||
|
||||
fs_getattr_all_fs(sosreport_t)
|
||||
fs_list_inotifyfs(sosreport_t)
|
||||
|
||||
selinux_compute_access_vector(sosreport_t)
|
||||
selinux_compute_create_context(sosreport_t)
|
||||
selinux_get_all_booleans(sosreport_t)
|
||||
selinux_read_policy(sosreport_t)
|
||||
selinux_validate_context(sosreport_t)
|
||||
|
||||
storage_dontaudit_read_fixed_disk(sosreport_t)
|
||||
storage_dontaudit_read_removable_device(sosreport_t)
|
||||
|
||||
|
|
@ -102,9 +111,11 @@ term_use_generic_ptys(sosreport_t)
|
|||
|
||||
auth_use_nsswitch(sosreport_t)
|
||||
|
||||
init_get_all_units_status(sosreport_t)
|
||||
init_dbus_chat(sosreport_t)
|
||||
init_domtrans_script(sosreport_t)
|
||||
|
||||
libs_domtrans_ldconfig(sosreport_t)
|
||||
libs_run_ldconfig(sosreport_t, sosreport_roles)
|
||||
|
||||
logging_read_all_logs(sosreport_t)
|
||||
logging_send_syslog_msg(sosreport_t)
|
||||
|
|
@ -113,6 +124,8 @@ miscfiles_read_localization(sosreport_t)
|
|||
|
||||
modutils_read_module_deps(sosreport_t)
|
||||
|
||||
userdom_use_inherited_user_terminals(sosreport_t)
|
||||
|
||||
optional_policy(`
|
||||
abrt_manage_runtime_files(sosreport_t)
|
||||
abrt_manage_cache(sosreport_t)
|
||||
|
|
@ -123,12 +136,21 @@ optional_policy(`
|
|||
cups_stream_connect(sosreport_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
devicekit_dbus_chat(sosreport_t)
|
||||
devicekit_dbus_chat_disk(sosreport_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
dmesg_domtrans(sosreport_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fstools_domtrans(sosreport_t)
|
||||
firewalld_dbus_chat(sosreport_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
fstools_run(sosreport_t, sosreport_roles)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -140,11 +162,19 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
lvm_domtrans(sosreport_t)
|
||||
lvm_run(sosreport_t, sosreport_roles)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
mount_domtrans(sosreport_t)
|
||||
mount_run(sosreport_t, sosreport_roles)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
networkmanager_dbus_chat(sosreport_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
ntp_dbus_chat(sosreport_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
@ -158,7 +188,14 @@ optional_policy(`
|
|||
')
|
||||
|
||||
optional_policy(`
|
||||
setroubleshoot_signull(sosreport_t)
|
||||
setroubleshoot_signull(sosreport_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
systemd_dbus_chat_hostnamed(sosreport_t)
|
||||
systemd_dbus_chat_logind(sosreport_t)
|
||||
systemd_map_hwdb(sosreport_t)
|
||||
systemd_read_journal_files(sosreport_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
|||
Loading…
Reference in New Issue