nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,078 Commits 1 Branch 0 Tags 16 MiB
34afd8343c
Commit Graph

4979 Commits

Author SHA1 Message Date
Chris PeBenito
34afd8343c cloud-init: Change udev rules 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
758f819529 cloud-init: Add systemd permissions. 
Additional access for controlling systemd units and logind dbus chat.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
7213dcf3a7 cloud-init: Allow use of sudo in runcmd. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
2e981f1790 chronyd: Read /dev/urandom. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
2e3cb74315 unconfined: Add remaining watch_* permissions. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
92587eddb3 usermanage: Handle symlinks in /usr/share/cracklib. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
0b77fe85c6 kdump: Fixes from testing kdumpctl. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
14b555b02b cloudinit: Add support for installing RPMs and setting passwords. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
e5dc0d6a36 files: Handle symlinks for /media and /srv. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
5df7c1e4b6 usermanage: Add sysctl access for groupadd to get number of groups. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
4d57ab1efb sysnetwork: ifconfig searches debugfs. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
df179e7f85 selinuxutil: Semanage reads policy for export. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
13574c3d4d init: Allow nnp/nosuid transitions from systemd initrc_t. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
45f5a5a8e0 rpm: Minor fixes 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
59136d8a7c systemd: Minor coredump fixes. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
21d7f4415e Container: Minor fixes from interactive container use. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
86bea43c43 kernel: hv_utils shutdown on systemd systems. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
d1ec6f1b9f systemd: systemd-cgroups reads kernel.cap_last_cap sysctl. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
56e33b7e42 domain: Manage own fds. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-02-21 16:45:39 -05:00
Kenton Groombridge
1c534f04b5 kubernetes: allow kubelet to apply fsGroup to persistent volumes 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:33:39 -05:00
Kenton Groombridge
fa3cf4f197 container: allow spc to map kubernetes runtime files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:33:39 -05:00
Kenton Groombridge
fb548b6a72 crio: allow reading container home content 
CRI-O will read container registry configuration data from the running
user's home (root) and will abort if unable to do so.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
4634f7a0fe systemd: allow systemd generator to list exports 
This is needed now that /etc/exports.d is labeled appropriately.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
22b65cba5e dbus: allow the system bus to get the status of generic units 
dbus-broker checks the status of systemd-logind.

type=USER_AVC msg=audit(1705109503.237:123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=101 path="/usr/lib /systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
6d5271cb18 rpc: fix not labeling exports.d directory 
Fix the filecon for /etc/exports.d to also label the directory itself.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:24 -05:00
Kenton Groombridge
f0fc6cd236 bootloader, init, udev: misc minor fixes 
Resolve these AVCs seen during early boot with systemd 255:

Jan 12 15:42:02 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092122.714:4): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

Jan 12 15:42:03 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092123.656:7): avc:  denied  { setrlimit } for  pid=2578 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:udev_t:s0 tclass=process permissive=0

Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.960:9): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.961:10): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_udpport" dev="proc" ino=31905 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.963:11): avc:  denied  { write } for  pid=2632 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0

Jan 12 15:42:08 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092128.530:16): avc:  denied  { net_admin } for  pid=3033 comm="bootctl" capability=12  scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:bootloader_t:s0 tclass=capability permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:08 -05:00
Kenton Groombridge
85fc7fda17 systemd: label systemd-tpm2-setup as systemd-pcrphase 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
4e7511f4ac init: allow using system bus anon pidfs 
Seen with systemd 255. This initially did not seem to impact anything,
but after a while I found that the kubernetes kubelet agent would not
start without this access.

type=AVC msg=audit(1705092131.239:37): avc:  denied  { use } for  pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
29a5cc1abc kernel: allow managing mouse devices 
Seen with systemd 255.

type=AVC msg=audit(1705092132.309:64): avc:  denied  { getattr } for  pid=178 comm="kdevtmpfs" path="/input/mouse0" dev="devtmpfs" ino=328 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:52): avc:  denied  { setattr } for  pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:53): avc:  denied  { unlink } for  pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
fbbed63769 zfs: allow zfs to write to exports 
Needed by zfs-mount.service.

type=PROCTITLE msg=audit(1705092131.987:49): proctitle=2F7362696E2F7A6673007368617265002D61
type=SYSCALL msg=audit(1705092131.987:49): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=665f44189eba a2=80042 a3=180 items=0 ppid=1 pid=3082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zfs" exe="/usr/bin/zfs" subj=system_u:system_r:zfs_t:s0 key=(null)
type=AVC msg=audit(1705092131.987:49): avc:  denied  { write } for  pid=3082 comm="zfs" name="zfs.exports.lock" dev="dm-0" ino=1296 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:exports_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
8ef4c98c77 systemd: label systemd-pcrlock as systemd-pcrphase 
Label the systemd-pcrlock binary as systemd_pcrphase_exec_t.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:52 -05:00
Kenton Groombridge
29d02c3efa kubernetes: fix kubelet accounting 
The kubelet routinely measures metrics and accounting for all
containers which involves calculating resource utilization for both
running containers and the contents of their images on disk.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:25 -05:00
Kenton Groombridge
2912f56e88 container, kubernetes: allow kubernetes to use fuse-overlayfs 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:24 -05:00
Kenton Groombridge
489051ff99 systemd: add policy for systemd-machine-id-setup 
systemd-machine-id-setup's role is to commit the host's machine id
to /etc/machine-id. The behavior of this process has changed slightly,
whereby a tmpfs is temporarily created on top of /etc/machine-id during
boot which is then read by systemd-machine-id-setup and written directly
to the underlying file.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:29:43 -05:00
Kenton Groombridge
8b26a7ccf3 init, systemd: allow systemd-pcrphase to write TPM measurements 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:29:43 -05:00
Chris PeBenito
63698fee31
Merge pull request #756 from 0xC0ncord/rook-ceph 
Add support for rook-ceph in kubernetes
 2024-02-21 14:29:00 -05:00
Chris PeBenito
d11ca7a2b5
Merge pull request #752 from dsugar100/systemd_noatsecure 
Needed to allow environment variable to process started (for cockpit)
 2024-02-21 14:12:29 -05:00
Kenton Groombridge
1305fd7be1 container: add filecons for rook-ceph 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-10 21:10:38 -05:00
Kenton Groombridge
08adc2fadb kernel: dontaudit read fixed disk devices 
This is triggered rook-ceph creates its OSDs.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-09 15:12:00 -05:00
Kenton Groombridge
5ab2cf6a6a container, kubernetes: add support for rook-ceph 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-09 15:11:58 -05:00
Kenton Groombridge
dad409e58b fstools: allow reading container device blk files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-07 19:20:30 -05:00
Kenton Groombridge
5703d3fdb9 fstools: allow fsadm to ioctl cgroup dirs 
When kubelet calls losetup, it will transition to the fsadm_t domain and
need to access block devices in containers.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-07 18:20:35 -05:00
Kenton Groombridge
0bec2f68f7 mount: make mount_runtime_t a kubernetes mountpoint 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-07 18:18:24 -05:00
Yi Zhao
3d565b0a3a udev: fix for systemd-udevd 
Fixes:
avc:  denied  { setrlimit } for  pid=194 comm="systemd-udevd"
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=process permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-02-04 12:52:54 +08:00
Yi Zhao
9d3513c7fa systemd: allow systemd-rfkill to getopt from uevent sockets 
Fixes:
avc:  denied  { getopt } for  pid=313 comm="systemd-rfkill"
scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
tcontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-02-04 11:18:38 +08:00
Yi Zhao
ecc6e3ccde systemd: allow systemd-hostnamed to read machine-id and localization files 
Fixes:
avc:  denied  { read } for  pid=533 comm="systemd-hostnam"
name="machine-id" dev="sdb2" ino=196
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=533 comm="systemd-hostnam"
path="/etc/machine-id" dev="sdb2" ino=196
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1

avc:  denied  { search } for  pid=533 comm="systemd-hostnam"
name="zoneinfo" dev="sdb2" ino=22345
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=533 comm="systemd-hostnam"
name="Universal" dev="sdb2" ino=22959
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=533 comm="systemd-hostnam"
path="/usr/share/zoneinfo/Universal" dev="sdb2" ino=22959
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

avc:  denied  { getattr } for  pid=533 comm="systemd-hostnam"
path="/usr/share/zoneinfo/Universal" dev="sdb2" ino=22959
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-02-04 11:07:53 +08:00
Dave Sugar
882830d642 Resolve error when cockpit initiate shutdown 
node=localhost type=AVC msg=audit(1705937785.855:1258): avc:  denied  { create } for  pid=1741 comm="systemd-logind" name=".#scheduleddAhZqh" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1705937817.548:1268): avc:  denied  { create } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1268): avc:  denied  { read write open } for  pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1269): avc:  denied  { setattr } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1270): avc:  denied  { getattr } for  pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1271): avc:  denied  { rename } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1272): avc:  denied  { write } for  pid=1741 comm="systemd-logind" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1272): avc:  denied  { add_name } for  pid=1741 comm="systemd-logind" name=".#nologin0EGTLr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1273): avc:  denied  { remove_name } for  pid=1741 comm="systemd-logind" name=".#nologin3EGTLr" dev="tmpfs" ino=1804 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:32:13 -05:00
Dave Sugar
08ea30252e Fix password changing from cockpit login screen 
node=localhost type=AVC msg=audit(1705071167.616:1344): avc:  denied  { write } for  pid=6560 comm="cockpit-session" name="etc" dev="dm-1" ino=393220 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1705071268.820:1383): avc:  denied  { write } for  pid=6588 comm="cockpit-session" name="etc" dev="dm-1" ino=393220 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705071268.820:1383): avc:  denied  { add_name } for  pid=6588 comm="cockpit-session" name="nshadow" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705071268.826:1384): avc:  denied  { remove_name } for  pid=6588 comm="cockpit-session" name="nshadow" dev="dm-1" ino=393552 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:32:13 -05:00
Dave Sugar
d80c8f421f Denial during cockpit use 
node=localhost type=USER_AVC msg=audit(1702256090.674:226515): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" function="mac_selinux_filter" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?  terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:32:08 -05:00
Dave Sugar
a95feb6cdd Additional access for systemctl 
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { search } for  pid=2071 comm="systemctl" name="kernel" dev="proc" ino=5 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=1
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { read } for  pid=2071 comm="systemctl" name="cap_last_cap" dev="proc" ino=65 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { open } for  pid=2071 comm="systemctl" path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=65 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00