firewalld: allow watch on firewalld files

Seeing the following spamming audit log: node=localhost type=AVC msg=audit(1663285699.690:100198): avc: denied { watch } for pid=1021 comm="gmain" path="/usr/lib/firewalld/services" dev="dm-0" ino=136583 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir permissive=0 node=localhost type=AVC msg=audit(1663285699.690:100199): avc: denied { watch } for pid=1021 comm="gmain" path="/etc/firewalld/helpers" dev="dm-0" ino=653079 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=dir permissive=0 node=localhost type=AVC msg=audit(1663291139.192:403): avc: denied { map } for pid=1019 comm="firewalld" path=2F72756E2F2331323635202864656C6574656429 dev="tmpfs" ino=1265 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_runtime_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2022-09-15 20:33:24 -04:00 · 2022-09-15 20:33:24 -04:00 · 8d22ebed52
commit 8d22ebed52
parent a035f86cbd
1 changed files with 4 additions and 1 deletions
--- a/policy/modules/services/firewalld.te
+++ b/policy/modules/services/firewalld.te
@ -39,6 +39,7 @@ allow firewalld_t self:unix_stream_socket { accept listen };
 allow firewalld_t self:netlink_netfilter_socket create_socket_perms;
 allow firewalld_t self:udp_socket create_socket_perms;

+allow firewalld_t firewalld_etc_rw_t:dir watch;
 manage_dirs_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 manage_files_pattern(firewalld_t, firewalld_etc_rw_t, firewalld_etc_rw_t)
 dontaudit firewalld_t firewalld_etc_rw_t:file { relabelfrom relabelto };
@ -54,7 +55,7 @@ files_tmp_filetrans(firewalld_t, firewalld_tmp_t, file)
 allow firewalld_t firewalld_tmp_t:file mmap_exec_file_perms;

 manage_dirs_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
-manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
+mmap_manage_files_pattern(firewalld_t, firewalld_runtime_t, firewalld_runtime_t)
 files_runtime_filetrans(firewalld_t, firewalld_runtime_t, { dir file })

 manage_dirs_pattern(firewalld_t, firewalld_tmpfs_t, firewalld_tmpfs_t)
@ -83,6 +84,8 @@ fs_getattr_xattr_fs(firewalld_t)

 logging_send_syslog_msg(firewalld_t)

+libs_watch_lib_dirs(firewalld_t)
+
 miscfiles_read_localization(firewalld_t)

 seutil_exec_setfiles(firewalld_t)