selinux-refpolicy

Author	SHA1	Message	Date
Dave Sugar	fcfffd4a2c	Allow key manipulation node=localhost type=AVC msg=audit(1701897597.942:245462): avc: denied { create } for pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1 node=localhost type=AVC msg=audit(1701897597.942:245464): avc: denied { write } for pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1 node=localhost type=AVC msg=audit(1701897597.942:245464): avc: denied { search } for pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1 node=localhost type=AVC msg=audit(1701897597.942:245464): avc: denied { link } for pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	b34ce38bfd	admin can read/write web socket node=localhost type=AVC msg=audit(1701889206.489:120065): avc: denied { use } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=fd permissive=1 node=localhost type=AVC msg=audit(1701889206.489:120065): avc: denied { read write } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701889206.500:120084): avc: denied { ioctl } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 ioctlcmd=0x5401 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701889207.271:120489): avc: denied { write } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701889207.279:120491): avc: denied { read } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701889217.374:123275): avc: denied { use } for pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=fd permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	cb810219ba	This works instead of allow exec on user_tmpfs_t! node=localhost type=AVC msg=audit(1702069242.629:385266): avc: denied { execute } for pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	7abf35393b	This seems important for administrative access node=localhost type=AVC msg=audit(1701976221.478:269623): avc: denied { read write } for pid=11016 comm="sudo" path="socket:[138427]" dev="sockfs" ino=138427 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=unix_stream_socket permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	675144499f	Signal during logout node=localhost type=AVC msg=audit(1701975071.847:229359): avc: denied { signal } for pid=10270 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0 tclass=process permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	a242691898	The L+ tmpfiles option needs to read the symlink node=localhost type=AVC msg=audit(1701956913.910:21672): avc: denied { read } for pid=3783 comm="systemd-tmpfile" name="motd" dev="tmpfs" ino=1812 scontext=system_u:system_r:systemd_tmpfiles_t:s0 tcontext=system_u:object_r:cockpit_runtime_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	fddef574ba	Allow sudo dbus chat w/sysemd-logind node=localhost type=USER_AVC msg=audit(1701890241.838:133264): pid=1613 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=toor_u:staff_r:staff_sudo_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus permissive=1 exe="/usr/bin/db us-broker" sauid=81 hostname=? addr=? terminal=?' UID="dbus" AUID="unset" SAUID="dbus" node=localhost type=AVC msg=audit(1701890241.838:133265): avc: denied { search } for pid=1627 comm="systemd-logind" name="8995" dev="proc" ino=72855 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1701890241.838:133265): avc: denied { read } for pid=1627 comm="systemd-logind" name="cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701890241.838:133265): avc: denied { open } for pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701890241.838:133266): avc: denied { getattr } for pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701890241.838:133267): avc: denied { ioctl } for pid=1627 comm="systemd-logind" path="/proc/8995/cgroup" dev="proc" ino=72856 ioctlcmd=0x5401 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=toor_u:staff_r:staff_sudo_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	c199c29b11	cockpit ssh as user node=localhost type=AVC msg=audit(1701889205.276:117169): avc: denied { use } for pid=8720 comm="ssh-agent" path="pipe:[68232]" dev="pipefs" ino=68232 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=1 node=localhost type=AVC msg=audit(1701889205.276:117169): avc: denied { read } for pid=8720 comm="ssh-agent" path="pipe:[68232]" dev="pipefs" ino=68232 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 node=localhost type=AVC msg=audit(1701889205.276:117169): avc: denied { write } for pid=8720 comm="ssh-agent" path="pipe:[68233]" dev="pipefs" ino=68233 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 node=localhost type=AVC msg=audit(1701889205.314:117185): avc: denied { getattr } for pid=8720 comm="ssh-agent" path="pipe:[68233]" dev="pipefs" ino=68233 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fifo_file permissive=1 node=localhost type=AVC msg=audit(1701889286.260:125552): avc: denied { use } for pid=8908 comm="ssh-agent" path="pipe:[70169]" dev="pipefs" ino=70169 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0 node=localhost type=AVC msg=audit(1701889286.260:125552): avc: denied { use } for pid=8908 comm="ssh-agent" path="pipe:[70170]" dev="pipefs" ino=70170 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0 node=localhost type=AVC msg=audit(1701889286.260:125552): avc: denied { use } for pid=8908 comm="ssh-agent" path="pipe:[70171]" dev="pipefs" ino=70171 scontext=staff_u:sysadm_r:sysadm_ssh_agent_t:s0 tcontext=system_u:system_r:cockpit_session_t:s0 tclass=fd permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	4f90070e21	allow system --user to execute systemd-tmpfiles in <user>_systemd_tmpfiles_t domain node=localhost type=AVC msg=audit(1701889206.398:119881): avc: denied { execute } for pid=8733 comm="(tmpfiles)" name="systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701889206.398:119884): avc: denied { read open } for pid=8733 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701889206.398:119884): avc: denied { execute_no_trans } for pid=8733 comm="(tmpfiles)" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701889206.398:119884): avc: denied { map } for pid=8733 comm="systemd-tmpfile" path="/usr/bin/systemd-tmpfiles" dev="dm-1" ino=15564 scontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_tmpfiles_exec_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.473:3560): avc: denied { read write } for pid=4853 comm="systemd-tmpfile" path="socket:[47094]" dev="sockfs" ino=47094 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.479:3562): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="kernel" dev="proc" ino=13283 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.479:3562): avc: denied { read } for pid=4853 comm="systemd-tmpfile" name="cap_last_cap" dev="proc" ino=13343 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.479:3562): avc: denied { open } for pid=4853 comm="systemd-tmpfile" path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=13343 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.479:3563): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" name="/" dev="proc" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3564): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3568): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" name="/" dev="cgroup2" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3569): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="/" dev="cgroup2" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cgroup_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3570): avc: denied { read } for pid=4853 comm="systemd-tmpfile" name="cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3570): avc: denied { open } for pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3571): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3572): avc: denied { ioctl } for pid=4853 comm="systemd-tmpfile" path="/proc/cmdline" dev="proc" ino=4026532018 ioctlcmd=0x5401 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3573): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="socket:[47094]" dev="sockfs" ino=47094 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3574): avc: denied { create } for pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3575): avc: denied { getopt } for pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3576): avc: denied { setopt } for pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3577): avc: denied { connect } for pid=4853 comm="systemd-tmpfile" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3577): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="journal" dev="tmpfs" ino=55 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:syslogd_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3577): avc: denied { write } for pid=4853 comm="systemd-tmpfile" name="socket" dev="tmpfs" ino=57 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:devlog_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1705259838.522:3577): avc: denied { sendto } for pid=4853 comm="systemd-tmpfile" path="/run/systemd/journal/socket" scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3578): avc: denied { map } for pid=4853 comm="systemd-tmpfile" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3579): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="contexts" dev="dm-1" ino=138857 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3579): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="files" dev="dm-1" ino=138863 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3579): avc: denied { read } for pid=4853 comm="systemd-tmpfile" name="file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3579): avc: denied { open } for pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3580): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.subs_dist" dev="dm-1" ino=138865 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.523:3581): avc: denied { map } for pid=4853 comm="systemd-tmpfile" path="/etc/selinux/clip/contexts/files/file_contexts.bin" dev="dm-1" ino=131164 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_context_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3582): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/home" dev="dm-8" ino=2 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3583): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="/" dev="dm-8" ino=2 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:home_root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3584): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/home/sysadm" dev="dm-8" ino=26 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3585): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="sysadm" dev="dm-8" ino=26 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_home_dir_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3586): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/run" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3587): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/run/user" dev="tmpfs" ino=92 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3588): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="user" dev="tmpfs" ino=92 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:user_runtime_root_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3589): avc: denied { getattr } for pid=4853 comm="systemd-tmpfile" path="/run/user/1002" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.524:3590): avc: denied { search } for pid=4853 comm="systemd-tmpfile" name="/" dev="tmpfs" ino=1 scontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tcontext=sysadm_u:object_r:user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.526:3591): avc: denied { search } for pid=4845 comm="systemd" name="4853" dev="proc" ino=29607 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1705259838.526:3591): avc: denied { read } for pid=4845 comm="systemd" name="comm" dev="proc" ino=47101 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=file permissive=1 node=localhost type=AVC msg=audit(1705259838.526:3591): avc: denied { open } for pid=4845 comm="systemd" path="/proc/4853/comm" dev="proc" ino=47101 scontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tcontext=sysadm_u:sysadm_r:sysadm_systemd_tmpfiles_t:s0-s0:c0.c1023 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	4bd6277912	Fix denial while cleaning up pidfile symlink Nov 29 02:15:13 localhost.localdomain audisp-syslog[1698]: node=localhost type=AVC msg=audit(1701224113.540:7569): avc: denied { unlink } for pid=1 comm="systemd" name="key.source" dev="tmpfs" ino=1749 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:cockpit_runtime_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:28 -05:00
Dave Sugar	cc46c3296a	SELinux policy for cockpit Setup domain for cockpit-certificate-ensure Setup service rules Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-26 21:05:27 -05:00
Dave Sugar	523b279bdf	Setup domain for dbus selinux interface The dbus selinux interface comes from policycoreutils-dbus package Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-17 21:36:05 -05:00
Chris PeBenito	a81eefc3c1	Merge pull request #751 from cgzones/selint SELint updates	2024-01-16 12:10:29 -05:00
Chris PeBenito	9c3fca3bed	Merge pull request #741 from 0xC0ncord/various-20231217 Various fixes	2024-01-10 14:17:48 -05:00
Kenton Groombridge	0f6361dbc4	kernel: allow delete and setattr on generic SCSI and USB devices Seen with systemd 255. type=AVC msg=audit(1702835409.236:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bsg/17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.236:65): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.236:66): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:69): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bus/usb/001/002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:70): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(1702835409.496:71): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1 Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	2b672277aa	su: various fixes Fixes for su to allow writing to faillog, lastlog, and wtmp. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	07d5862d2d	zfs: dontaudit net_admin capability by zed Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	838ff87b62	zed: allow managing /etc/exports.d/zfs.exports Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	b74dbb649e	rpc: add filecon for /etc/exports.d Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	6dfe08a416	systemd: allow networkd to use netlink netfilter sockets Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	a3348800a7	systemd: fixes for systemd-pcrphase Add new required accesses for systemd-pcrphase and label the new systemd-pcrextend under the same domain. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	e5a8798485	init: allow all daemons to write to init runtime sockets Seems to be needed as of systemd 255 for writing to /run/systemd/private. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	b61f6c2395	udev: allow reading kernel fs sysctls Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:26 -05:00
Kenton Groombridge	9874203ca9	init, systemd: label systemd-executor as init_exec_t As of systemd 255, services are no longer forked from PID 1 but instead are spawned by a new systemd-executor helper binary. Label this binary accordingly and add a rule for systemd user session domains to use it. Closes: https://github.com/SELinuxProject/refpolicy/issues/732 Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-10 13:49:23 -05:00
Dave Sugar	e668e176fb	Needed to allow environment variable to process started (for cockpit) Dec 05 22:41:49 localhost.localdomain cockpit-tls[7887]: cockpit-tls: $RUNTIME_DIRECTORY environment variable must be set to a private directory Dec 05 22:41:49 localhost.localdomain systemd[1]: cockpit.service: Main process exited, code=exited, status=1/FAILURE Dec 05 22:41:49 localhost.localdomain systemd[1]: cockpit.service: Failed with result 'exit-code'. Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-10 11:34:03 -05:00
Christian Göttsche	ee176fe272	devicedisk: reorder optional block Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-10 17:02:41 +01:00
Christian Göttsche	babd479760	systemd: reorder optional block Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-10 17:02:41 +01:00
Christian Göttsche	4b05e1e9c3	SELint userspace class tweaks SELint version 1.5 emits issues for missing or unused declarations of userspace classes: init.te: 270: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001) init.te: 312: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) init.te: 1116: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001) init.te: 1124: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) init.te: 1132: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) init.te: 1136: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) init.te: 1137: (W): No explicit declaration for userspace class service. You should access it via interface call or use a require block. (W-001) unconfined.te: 64: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001) systemd.te: 1250: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) systemd.te: 1377: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) devicekit.te: 56: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) devicekit.te: 157: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) devicekit.te: 297: (W): No explicit declaration for userspace class dbus. You should access it via interface call or use a require block. (W-001) kernel.te: 566: (W): No explicit declaration for userspace class system. You should access it via interface call or use a require block. (W-001) chromium.if: 139: (W): Class dbus is listed in require block but not used in interface (W-003) init.if: 1192: (W): Class system is used in interface but not required (W-002) init.if: 1210: (W): Class system is used in interface but not required (W-002) init.if: 1228: (W): Class system is used in interface but not required (W-002) init.if: 1246: (W): Class system is used in interface but not required (W-002) init.if: 1264: (W): Class system is used in interface but not required (W-002) init.if: 1282: (W): Class system is used in interface but not required (W-002) init.if: 1300: (W): Class system is used in interface but not required (W-002) init.if: 1318: (W): Class system is used in interface but not required (W-002) init.if: 1393: (W): Class bpf is listed in require block but is not a userspace class (W-003) unconfined.if: 34: (W): Class service is listed in require block but not used in interface (W-003) systemd.if: 144: (W): Class system is used in interface but not required (W-002) systemd.if: 159: (W): Class service is used in interface but not required (W-002) systemd.if: 160: (W): Class service is used in interface but not required (W-002) systemd.if: 413: (W): Class system is used in interface but not required (W-002) systemd.if: 437: (W): Class system is used in interface but not required (W-002) systemd.if: 461: (W): Class system is used in interface but not required (W-002) postgresql.if: 31: (W): Class db_database is listed in require block but not used in interface (W-003) postgresql.if: 37: (W): Class db_language is listed in require block but not used in interface (W-003) postgresql.if: 465: (W): Class db_database is listed in require block but not used in interface (W-003) postgresql.if: 471: (W): Class db_language is listed in require block but not used in interface (W-003) xserver.if: 370: (W): Class x_property is listed in require block but not used in interface (W-003) Found the following issue counts: W-001: 14 W-002: 14 W-003: 8 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-10 17:02:41 +01:00
Christian Göttsche	36c741c3c3	ci: bump SELint version to 1.5.0 Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-10 17:02:12 +01:00
Chris PeBenito	45f43ca378	Merge pull request #747 from cgzones/getattr init: only grant getattr in init_getattr_generic_units_files()	2024-01-09 12:39:11 -05:00
Chris PeBenito	ee0a03efd5	Merge pull request #749 from dsugar100/xguest_systemd xguest needs 'systemd --user'	2024-01-09 11:48:12 -05:00
Chris PeBenito	66cff3bca2	Merge pull request #748 from dsugar100/firewall_etc_relabel Firewalld need to relabel direct.xml.old file	2024-01-09 11:47:37 -05:00
Chris PeBenito	2bd4015c67	Merge pull request #742 from 0xC0ncord/container-fixes Kubernetes and container fixes, add support for Cilium	2024-01-09 11:46:08 -05:00
Dave Sugar	dc3ccdfafa	xguest ues systemd --user node=localhost type=AVC msg=audit(1703021456.203:565): avc: denied { search } for pid=1247 comm="(systemd)" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=key permissive=1 node=localhost type=AVC msg=audit(1703021456.203:565): avc: denied { link } for pid=1247 comm="(systemd)" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:xguest_r:xguest_t:s0 tclass=key permissive=1 node=localhost type=AVC msg=audit(1703021456.282:694): avc: denied { create } for pid=1247 comm="systemd" name="systemd" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021456.283:696): avc: denied { create } for pid=1247 comm="systemd" name="fifo" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=fifo_file permissive=1 node=localhost type=AVC msg=audit(1703021456.283:697): avc: denied { create } for pid=1247 comm="systemd" name="sock" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021456.283:698): avc: denied { create } for pid=1247 comm="systemd" name="chr" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=chr_file permissive=1 node=localhost type=AVC msg=audit(1703021456.353:812): avc: denied { create } for pid=1247 comm="systemd" name="generator" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:systemd_user_runtime_unit_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021456.419:901): avc: denied { remove_name } for pid=1247 comm="systemd" name="generator" dev="tmpfs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021456.614:2701): avc: denied { write } for pid=1247 comm="systemd" name="private" dev="tmpfs" ino=14 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021456.643:3029): avc: denied { create } for pid=1247 comm="systemd" name="bus" scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:session_dbusd_runtime_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021456.644:3032): avc: denied { write } for pid=1247 comm="systemd" name="bus" dev="tmpfs" ino=15 scontext=system_u:system_r:init_t:s0 tcontext=xguest_u:object_r:session_dbusd_runtime_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021456.645:3047): avc: denied { create } for pid=1247 comm="systemd" name=".#invocation:dbus.socket4c7cde17cb0e7a48" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021456.645:3048): avc: denied { remove_name } for pid=1247 comm="systemd" name=".#invocation:dbus.socket4c7cde17cb0e7a48" dev="tmpfs" ino=16 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021456.645:3048): avc: denied { rename } for pid=1247 comm="systemd" name=".#invocation:dbus.socket4c7cde17cb0e7a48" dev="tmpfs" ino=16 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021456.771:3266): avc: denied { write } for pid=1247 comm="systemd" name="notify" dev="tmpfs" ino=38 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_runtime_notify_t:s0 tclass=sock_file permissive=1 node=localhost type=AVC msg=audit(1703021613.118:6433): avc: denied { create } for pid=1247 comm="systemd" name=".#invocation:grub-boot-success.service0d86da059b1d9d72" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021613.118:6434): avc: denied { remove_name } for pid=1247 comm="systemd" name=".#invocation:grub-boot-success.service0d86da059b1d9d72" dev="tmpfs" ino=20 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1703021613.118:6434): avc: denied { rename } for pid=1247 comm="systemd" name=".#invocation:grub-boot-success.service0d86da059b1d9d72" dev="tmpfs" ino=20 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021613.141:6469): avc: denied { unlink } for pid=1247 comm="systemd" name="invocation:grub-boot-success.service" dev="tmpfs" ino=20 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 node=localhost type=AVC msg=audit(1703021793.226:6636): avc: denied { unlink } for pid=1247 comm="systemd" name="invocation:systemd-tmpfiles-clean.service" dev="tmpfs" ino=21 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_user_runtime_t:s0 tclass=lnk_file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-07 17:37:02 -05:00
Dave Sugar	3d55e918f6	Firewalld need to relabel direct.xml file firewalld[1084]: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/firewall/core/io/direct.py", line 372, in write shutil.copy2(self.filename, "%s.old" % self.filename) File "/usr/lib64/python3.9/shutil.py", line 445, in copy2 copystat(src, dst, follow_symlinks=follow_symlinks) File "/usr/lib64/python3.9/shutil.py", line 388, in copystat _copyxattr(src, dst, follow_symlinks=follow) File "/usr/lib64/python3.9/shutil.py", line 338, in _copyxattr os.setxattr(dst, name, value, follow_symlinks=follow_symlinks) PermissionError: [Errno 13] Permission denied: '/etc/firewalld/direct.xml.old' During handling of the above exception, another exception occurred: Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/firewall/server/decorators.py", line 67, in _impl return func(args, *kwargs) File "/usr/lib/python3.9/site-packages/firewall/server/config.py", line 1429, in update self.config.get_direct().write() File "/usr/lib/python3.9/site-packages/firewall/core/io/direct.py", line 374, in write raise IOError("Backup of '%s' failed: %s" % (self.filename, msg)) OSError: Backup of '/etc/firewalld/direct.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/direct.xml.old' firewalld[1084]: ERROR: Backup of file '/etc/firewalld/zones/data.xml' failed: [Errno 13] Permission denied: '/etc/firewalld/zones/data.xml.old' node=localhost type=AVC msg=audit(1704599676.613:35145): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0 node=loalhost type=AVC msg=audit(1704599677.914:35287): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="direct.xml.old" dev="dm-0" ino=1180671 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1704599788.714:41689): avc: denied { relabelfrom } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1704599788.714:41689): avc: denied { relabelto } for pid=1084 comm="firewalld" name="data.xml.old" dev="dm-0" ino=1180472 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:firewalld_etc_rw_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-07 17:15:36 -05:00
Christian Göttsche	82f7160a20	init: only grant getattr in init_getattr_generic_units_files() Like the name suggests only grant the permission getattr in init_getattr_generic_units_files(). Adjust the only caller to use init_read_generic_units_files() instead. Reported-by: Laurent Bigonville Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2024-01-04 20:43:20 +01:00
Kenton Groombridge	a0018e4e85	kubernetes: allow container engines to mount on DRI devices if enabled Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-04 09:46:41 -05:00
Kenton Groombridge	16323cfce2	container, kubernetes: add support for cilium Cilium is a kubernetes CNI powered by BPF. Its daemon pods run as super privileged containers which require various accesses in order to load BPF programs and modify the host network. Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-04 09:46:41 -05:00
Kenton Groombridge	d2f413c1b6	container: various fixes Signed-off-by: Kenton Groombridge <concord@gentoo.org>	2024-01-04 09:46:41 -05:00
Chris PeBenito	d4555fd002	Merge pull request #744 from quic-kmeng/main filesystem:Add type contexts and interface for functionfs	2024-01-04 09:39:39 -05:00
Kai Meng	76951aa43c	devices:Add genfscon context for functionfs to mount When start up adbd by adb initscript, there's a command like: mount -o uid=2000,gid=2000 -t functionfs adb /dev/usb-ffs/adb will cause below deny because lack of functionfs related contexts. avc: denied { mount } for pid=346 comm="mount" name="/" dev="functionfs" ino=17700 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1 Signed-off-by: Kai Meng <quic_kmeng@quicinc.com>	2024-01-04 14:29:02 +08:00
Chris PeBenito	e7cdbe3f5b	Merge pull request #743 from dsugar100/dbus_fixes Dbus fixes	2024-01-03 10:56:24 -05:00
Chris PeBenito	14a6144733	Merge pull request #746 from yizhao1/cryptsetup fix some contexts	2024-01-03 10:55:40 -05:00
Yi Zhao	249263f7c4	container: set context for /run/crun /run/crun is the runtime directory for crun. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2024-01-03 19:18:41 +08:00
Yi Zhao	96cb5e6304	lvm: set context for /run/cryptsetup * Set context for /runcryptesetup created by systemd-cryptsetup. * Remove duplicate line 'fs_getattr_cgroup(lvm_t)'. Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	2024-01-03 19:17:24 +08:00
Dave Sugar	58e4c9a36f	dbus changes dbus needs to map security_t files private type ($1_dbus_tmpfs_t) for file created on tmpfs Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: avc: could not open selinux status page: 13 (Permission denied) Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: ERROR bus_selinux_init_global @ ../src/util/selinux.c +336: Permission denied Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +285 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1927]: main @ ../src/broker/main.c +295 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: ERROR service_add @ ../src/launch/service.c +921: Transport endpoint is not connected Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_add_services @ ../src/launch/launcher.c +804 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: launcher_run @ ../src/launch/launcher.c +1409 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: run @ ../src/launch/main.c +152 Dec 20 18:18:15 localhost.localdomain audisp-syslog[1585]: node=localhost type=AVC msg=audit(1703096295.282:5058): avc: denied { map } for pid=1927 comm="dbus-broker" path="/sys/fs/selinux/status" dev="selinuxfs" ino=19 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:security_t:s0 tclass=file permissive=0 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: main @ ../src/launch/main.c +178 Dec 20 18:18:15 localhost.localdomain dbus-broker-launch[1926]: Exiting due to fatal error: -107 Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Main process exited, code=exited, status=1/FAILURE Dec 20 18:18:15 localhost.localdomain systemd[1824]: dbus-broker.service: Failed with result 'exit-code'. node=localhost type=AVC msg=audit(1703095496.614:486): avc: denied { write } for pid=1838 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095496.614:487): avc: denied { map } for pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095496.614:487): avc: denied { read } for pid=1838 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=1026 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095554.440:7369): avc: denied { write } for pid=1839 comm="dbus-broker" name="memfd:dbus-broker-log" dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095554.440:7370): avc: denied { map } for pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703095554.440:7370): avc: denied { read } for pid=1839 comm="dbus-broker" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=2057 scontext=user_u:user_r:user_dbusd_t:s0 tcontext=user_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703096160.845:7632): avc: denied { write } for pid=2394 comm="dbus-broker-lau" name="memfd:dbus-broker-log" dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703096160.845:7633): avc: denied { map } for pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1703096160.845:7633): avc: denied { read } for pid=2394 comm="dbus-broker-lau" path=2F6D656D66643A646275732D62726F6B65722D6C6F67202864656C6574656429 dev="tmpfs" ino=3077 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=toor_u:object_r:tmpfs_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2024-01-02 15:18:55 -05:00
Chris PeBenito	d393e36e49	Merge pull request #745 from cgzones/main git: add fcontext for default binary	2024-01-02 14:27:42 -05:00
Christian Göttsche	86d9a00e7f	git: add fcontext for default binary Avoid relabel loops if the helper binaries are hardlinked: $ restorecon -vRF -T0 /usr/libexec/ Relabeled /usr/libexec/git-core/git from system_u:object_r:git_exec_t to system_u:object_r:bin_t Relabeled /usr/libexec/git-core/git-rev-parse from system_u:object_r:bin_t to system_u:object_r:git_exec_t Relabeled /usr/libexec/git-core/git-fsmonitor--daemon from system_u:object_r:bin_t to system_u:object_r:git_exec_t Signed-off-by: Christian Göttsche <cgzones@googlemail.com>	2023-12-28 17:52:08 +01:00
Dave Sugar	2680abe1f8	Allow dbus-broker-launch to execute in same domain node=localhost type=AVC msg=audit(1703080976.876:873613): avc: denied { execute_no_trans } for pid=6840 comm="dbus-broker-lau" path="/usr/bin/dbus-broker" dev="dm-1" ino=16361 scontext=toor_u:staff_r:staff_dbusd_t:s0 tcontext=system_u:object_r:dbusd_exec_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-12-20 14:49:39 -05:00
Dave Sugar	dd21a7724a	Changes needed for dbus-broker-launch node=localhost type=AVC msg=audit(1701877079.240:52506): avc: denied { read } for pid=7055 comm="dbus-broker-lau" name="machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701877079.240:52506): avc: denied { open } for pid=7055 comm="dbus-broker-lau" path="/etc/machine-id" dev="dm-1" ino=131423 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1701877079.244:52520): avc: denied { connectto } for pid=7054 comm="dbus-broker-lau" path="/run/user/1001/bus" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket permissive=1 node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { sendto } for pid=7054 comm="dbus-broker-lau" path="/run/user/1001/systemd/notify" scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:staff_r:staff_systemd_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=1 node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { search } for pid=7054 comm="dbus-broker-lau" name="systemd" dev="tmpfs" ino=2 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1701877079.239:52504): avc: denied { write } for pid=7054 comm="dbus-broker-lau" name="notify" dev="tmpfs" ino=13 scontext=staff_u:staff_r:staff_dbusd_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:systemd_user_runtime_notify_t:s0 tclass=sock_file permissive=1 Signed-off-by: Dave Sugar <dsugar100@gmail.com>	2023-12-20 14:48:54 -05:00

1 2 3 4 5 ...

7124 Commits