af26e63697
Merge pull request #778 from 0xC0ncord/various-20240506
...
Various fixes
2024-05-13 08:38:14 -04:00
27602a932b
various: various fixes
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:37 -04:00
63d50bbaa3
container, crio, kubernetes: minor fixes
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:37 -04:00
11e729e273
container, podman: various fixes
...
Various fixes for containers and podman, mostly centered around quadlet
and netavark updates.
One particular change which may stand out is allowing podman_conmon_t to
IOCTL container_file_t files. I wish I could know why this was hit, but
I don't. The relevant AVC is:
type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762
type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-command-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7"
type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null)
type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:29 -04:00
ef5954a0e9
systemd: allow systemd-sysctl to search tmpfs
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:29 -04:00
472e0442e7
container: allow containers to getcap
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:29 -04:00
7876e51510
container: allow system container engines to mmap runtime files
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:29 -04:00
d917092a81
matrixd: add tunable for binding to all unreserved ports
...
This is to support using Synapse workers which require binding to
multiple TCP ports in lieu of manually labeling unreserved ports for
use.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:00:54 -04:00
3dba91dd48
bootloader: allow systemd-boot to manage EFI binaries
...
systemd-boot's bootctl utility is used to install and update its EFI
binaries in the EFI partition. If it is mounted with boot_t, bootctl
needs to be able to manage boot_t files.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:00:54 -04:00
ddf395d5d4
asterisk: allow binding to all unreserved UDP ports
...
This is for RTP streaming.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:00:51 -04:00
3bad3696b8
postgres: add a standalone execmem tunable
...
Add a separate tunable to allow Postgres to use execmem. This is to
support JIT in the Postgres server without enabling it for the entire
system.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:00:51 -04:00
ef28f7879a
userdom: allow users to read user home dir symlinks
...
This is to support user home directories primarily living in another
directory with a symlink in /home that points to it.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:00:23 -04:00
03711caea1
dovecot: allow dovecot-auth to read SASL keytab
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:00:23 -04:00
cd781e783e
fail2ban: allow reading net sysctls
...
type=AVC msg=audit(1696613589.191:194926): avc: denied { search } for pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:00:23 -04:00
ddc6ac493c
init: allow systemd to use sshd pidfds
...
Without this, a lengthy 2 minute delay can be observed SSHing into a
system while pam_systemd tries to create a login session.
May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out
type=AVC msg=audit(1715019897.540:13855): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:00:18 -04:00
eefc22e395
Merge pull request #768 from plsph/merged-usr-gentoo
...
files context for merged-usr profile on gentoo
2024-05-09 08:28:30 -04:00
b9c457d80a
files context for merged-usr profile on gentoo
...
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
2024-05-08 13:46:48 +02:00
6daf602382
init: Add homectl dbus access.
...
homectl is used in the systemd-homed-activate.service ExecStop.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-05-07 10:26:18 -04:00
7d998958dc
filesystem/systemd: memory.pressure fixes.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-05-07 10:23:10 -04:00
9b4ac09194
Merge pull request #777 from dsugar100/cockpit_map
...
Need map perm for cockpit 300.4
2024-05-06 13:43:26 -04:00
5040dd3b6e
Need map perm for cockpit 300.4
...
node=localhost type=AVC msg=audit(1714870999.370:3558): avc: denied { map } for pid=7081 comm="cockpit-bridge" path=2F6465762F23373933202864656C6574656429 dev="devtmpfs" ino=793 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:staff_cockpit_tmpfs_t:s0 tclass=file permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2024-05-05 22:14:39 -04:00
d049eb2173
cloudinit: Add support for cloud-init-growpart.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-05-02 14:59:32 -04:00
739ae42cac
systemd: Add basic systemd-analyze rules.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-05-02 14:57:29 -04:00
0dc400529c
Merge pull request #776 from pebenito/sechecker
...
Add initial sechecker configuration for CI.
2024-04-30 10:17:51 -04:00
029684596a
Merge pull request #775 from matt-sheets/masheets/init-siginh
...
Allow systemd to pass down sig mask
2024-04-30 10:09:02 -04:00
2ef9838dba
tests.yml: Add sechecker testing.
...
Add initial privilege and integrity tests.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-29 14:20:24 -04:00
c62bd5c6c0
cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type.
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-29 14:20:24 -04:00
1c694125b7
certbot: Drop execmem.
...
This is related to FFI use in python3-openssl. Libffi now changes behavior
when it detects SELinux, to avoid this type of denial.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-29 14:20:24 -04:00
349411d555
xen: Drop xend/xm stack.
...
Xend/xm was replaced with xl in Xen 4.5 (Jan 2015).
https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-29 14:20:19 -04:00
2a261f9166
Allow systemd to pass down sig mask
...
IgnoreSIGPIPE is a feature that requires systemd to passdown the signal
mask down to the fork process. To allow this the siginh permission must
be allowed for all process domains that can be forked by systemd.
Signed-off-by: Matt Sheets <masheets@linux.microsoft.com>
2024-04-26 17:17:24 -07:00
2577feb839
cups: Remove PTAL.
...
This is part of the HPOJ, which was superseded by HPLIP in 2006.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-26 14:21:12 -04:00
5b02b44e51
xen: Revoke kernel module loading permissions.
...
This domain also calls kernel_request_load_module(), which should be
sufficient.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-26 14:21:12 -04:00
1c20c002cd
minissdpd: Revoke kernel module loading permissions.
...
This domain also calls kernel_request_load_module(), which should be
sufficent.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-26 14:21:12 -04:00
5671390e2c
docker: Fix dockerc typo in container_engine_executable_file
...
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-26 14:21:12 -04:00
e1bc4830d6
cron: Use raw entrypoint rule for system_cronjob_t.
...
By using domain_entry_file() to provide the entrypoint permission, it makes
the spool file an executable, with unexpected access.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-26 14:21:12 -04:00
0f71792c8c
uml: Remove excessive access from user domains on uml_exec_t.
...
The user domains were allowed to modify uml_exec_t files.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
2024-04-26 14:21:12 -04:00
f889384ddf
Merge pull request #774 from ralther/machine-info
...
Set the type on /etc/machine-info to net_conf_t
2024-04-24 13:25:36 -04:00
bea4b160bf
Merge pull request #773 from ralther/fix_MCS_CATS_comment
...
Minor correction in MCS_CATS range comment
2024-04-22 10:11:25 -04:00
0ede5759d8
Merge pull request #769 from cgzones/systemd
...
systemd: allow notify client to stat socket
2024-04-22 09:56:00 -04:00
511223e2d1
Set the type on /etc/machine-info to net_conf_t so hostnamectl can manipulate it (CRUD)
...
When attempting to set the PRETTY_HOSTNAME (e.g. hostnamectl --pretty hostname "My Pretty Host") you will receive these denials in the audit log:
`node=localhost type=AVC msg=audit(1713748477.775:17769): avc: denied { create } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1713748477.775:17769): avc: denied { write } for pid=3012 comm="systemd-hostnam" path="/etc/.#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=PATH msg=audit(1713748477.775:17769): item=1 name="/etc/.#machine-infocuJGLW" inode=1180584 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
node=localhost type=AVC msg=audit(1713748477.775:17770): avc: denied { setattr } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1713748477.776:17771): avc: denied { rename } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1
node=localhost type=PATH msg=audit(1713748477.776:17771): item=2 name="/etc/.#machine-infocuJGLW" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
node=localhost type=PATH msg=audit(1713748477.776:17771): item=3 name="/etc/machine-info" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
node=localhost type=PATH msg=audit(1713748497.093:17897): item=0 name="/etc/machine-info" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root`
This is on a Rocky 9 system where the default type is etc_t. Setting the type to net_conf_t allows the command to succeed without error.
Signed-off-by: Rick Alther <alther@acm.org>
2024-04-22 09:20:11 -04:00
72fc1b2a3e
fix: minor correction in MCS_CATS range comment
...
Signed-off-by: Rick Alther <alther@acm.org>
2024-04-22 01:27:13 -04:00
cbf56c8aea
systemd: allow notify client to stat socket
...
Caused by the latest openssh version in Debian sid:
AVC avc: denied { getattr } for pid=13544 comm="sshd" path="/run/systemd/notify" dev="tmpfs" ino=286 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:systemd_runtime_notify_t:s0 tclass=sock_file permissive=0
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2024-04-13 21:08:01 +02:00
6507eebc23
Merge pull request #750 from dsugar100/selinux_dbus
...
Setup domain for dbus selinux interface
2024-04-02 08:56:15 -04:00
77184560ba
Merge pull request #766 from dsugar100/sos_rhel9
...
Update SOS report to work on RHEL9
2024-04-02 08:55:19 -04:00
48b4e36137
Merge pull request #767 from cgzones/misc
...
Misc
2024-04-02 08:53:27 -04:00
0aff1990e1
quote: read localization
...
AVC avc: denied { map } for pid=581 comm="quotaon" path="/usr/lib/locale/locale-archive" dev="vda1" ino=392093 scontext=system_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:locale_t:s0 tclass=file permissive=0
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2024-03-28 20:02:47 +01:00
ab13c04211
getty: grant checkpoint_restore
...
Since Linux 6.7 checkpoint-restore functionality is guareded via the
capability CAP_CHECKPOINT_RESTORE, with a fallback to CAP_SYS_ADMIN.
Grant the new capability while keeping the old one for backwards
compatibility.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
2024-03-28 20:01:49 +01:00
3643773aed
Update SOS report to work on RHEL9
...
binary is now /usr/sbin/sos
Cleanup "invalid security context" type errors
Allow read/write user ptty
node=destination type=AVC msg=audit(1709914012.455:7495): avc: denied { read write } for pid=2214 comm="sos" path="/dev/pts/0" dev="devpts" ino=3 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
node=destination type=AVC msg=audit(1709914012.527:7512): avc: denied { ioctl } for pid=2214 comm="sos" path="/dev/pts/0" dev="devpts" ino=3 ioctlcmd=0x5401 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:user_devpts_t:s0 tclass=chr_file permissive=1
node=destination type=AVC msg=audit(1709928066.892:80267): avc: denied { create } for pid=3998 comm="mkfifo" name="systemd-cat" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80269): avc: denied { write } for pid=3968 comm="dracut" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80269): avc: denied { open } for pid=3968 comm="dracut" path="/var/tmp/dracut.GUBZQZ/systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928066.893:80281): avc: denied { read } for pid=3999 comm="dracut" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928068.848:94243): avc: denied { unlink } for pid=4049 comm="rm" name="systemd-cat" dev="dm-3" ino=24 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=fifo_file permissive=1
node=destination type=AVC msg=audit(1709928080.775:126505): avc: denied { create } for pid=2229 comm="sos" name="lvmpolld.socket" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=sock_file permissive=1
node=destination type=AVC msg=audit(1709928080.775:126510): avc: denied { setattr } for pid=2229 comm="sos" name="lvmpolld.socket" dev="dm-3" ino=138652 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=admin_u:object_r:sosreport_tmp_t:s0 tclass=sock_file permissive=1
Allow sosreport to read SELinux booleans
node=destination type=AVC msg=audit(1709931730.500:181982): avc: denied { read } for pid=6578 comm="sestatus" name="aide_mmap_files" dev="selinuxfs" ino=33554432 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:boolean_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709931730.500:181982): avc: denied { open } for pid=6578 comm="sestatus" path="/sys/fs/selinux/booleans/aide_mmap_files" dev="selinuxfs" ino=33554432 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:boolean_t:s0 tclass=file permissive=1
Allow sosreport dbus send_msg
node=destination type=USER_AVC msg=audit(1709931682.344:10950): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:NetworkManager_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931707.581:103764): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931711.203:109364): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker
node=destination type=USER_AVC msg=audit(1709931713.737:118226): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:systemd_hostnamed_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931741.992:218433): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931735.870:210757): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:devicekit_disk_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
node=destination type=USER_AVC msg=audit(1709931742.051:218502): pid=1194 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:system_r:ntpd_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'�UID="dbus" AUID="unset" SAUID="dbus"
Allow sosreport to get status of all units
node=destination type=USER_AVC msg=audit(1709951886.954:202544): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dm-event.socket" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:lvm_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'�UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951886.994:202604): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/dnf-makecache.timer" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:rpm_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'�UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951860.321:103971): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/fwupd.service" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'�UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
node=destination type=USER_AVC msg=audit(1709951889.117:209277): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/systemd-rfkill.service" cmdline="" function="mac_selinux_filter" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_rfkill_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'�UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"
Allow sosreport to map some files
node=destination type=AVC msg=audit(1709951889.013:209184): avc: denied { map } for pid=6932 comm="lsusb" path="/etc/udev/hwdb.bin" dev="dm-0" ino=1180591 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_hwdb_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951850.662:58892): avc: denied { map } for pid=3814 comm="journalctl" path="/var/log/journal/4fa8dbda531a499cb4bdf065a9b23471/user-1000@db7a3287b7234e07b839915b69371deb-000000000000110a-0006133115ceaa6d.journal" dev="dm-6" ino=262149 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Access SELinux stuff
node=destination type=AVC msg=audit(1709951851.398:60712): avc: denied { compute_av } for pid=3902 comm="crontab" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951864.926:110932): avc: denied { map } for pid=5345 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951883.687:182874): avc: denied { check_context } for pid=6675 comm="selinuxdefcon" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951883.763:183087): avc: denied { compute_create } for pid=6696 comm="selinuxexeccon" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
node=destination type=AVC msg=audit(1709951883.946:183609): avc: denied { map } for pid=6715 comm="udevadm" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1
node=destination type=AVC msg=audit(1709951884.669:188960): avc: denied { read_policy } for pid=6703 comm="semanage" scontext=admin_u:staff_r:sosreport_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=security permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2024-03-09 17:23:47 -05:00
fa84ee8fc0
Update Changelog and VERSION for release 2.20240226.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2024-02-26 13:38:45 -05:00
d48b57a5bd
Merge pull request #763 from cgzones/dnl_space
...
libraries: drop space in empty line
2024-02-23 13:18:44 -05:00
Chris PeBenito
Kenton Groombridge
Grzegorz Filo
Chris PeBenito
Dave Sugar
Matt Sheets
Rick Alther
Rick Alther
Christian Göttsche