nnd
/
selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
6,801 Commits 1 Branch 0 Tags 16 MiB
Commit Graph

6801 Commits

Author SHA1 Message Date
Guido Trentalancia 37f81bbc80 Fix the recently introduced "logging_syslog_can_network" 
tunable policy, by including TCP/IP socket creation
permissions.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/logging.te |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 2023-09-13 15:34:09 +02:00
Guido Trentalancia c032204af3 Introduce a new "logging_syslog_can_network" boolean 
and make the net_admin capability as well as all
corenetwork permissions previously granted
to the syslog daemon conditional upon such boolean
being true.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/system/logging.te |   61 +++++++++++++++++++++++----------------
 1 file changed, 36 insertions(+), 25 deletions(-)
 2023-09-06 20:53:42 +02:00
Chris PeBenito f3f761c4a8
Merge pull request #631 from dsugar100/label_pwhistory_helper 
Label pwhistory_helper
 2023-08-18 11:53:50 -04:00
Chris PeBenito 626848ad94
Merge pull request #632 from dsugar100/dbsud_var_lib_symlinks 
If domain can read system_dbusd_var_lib_t files, also allow symlinks
 2023-08-18 11:48:06 -04:00
Chris PeBenito 46812c0d52
Merge pull request #634 from dsugar100/read_rfkill 
systemd-rfkill.socket reads and writes /dev/rfkill (with ListenSocket=) option.
 2023-08-18 11:46:51 -04:00
Dave Sugar e0970d55e6 systemd-rfkill.socket reads /dev/rfkill (with ListenSocket=) option. 
Need to allow this to open the file so the service starts properly.

node=localhost type=AVC msg=audit(1689883855.890:419): avc:  denied  { open } for  pid=1 comm="systemd" path="/dev/rfkill" dev="devtmpfs" ino=152 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=1
node=localhost type=AVC msg=audit(1689883962.317:408): avc:  denied  { read write } for  pid=1 comm="systemd" name="rfkill" dev="devtmpfs" ino=152 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:wireless_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:52:15 -04:00
Dave Sugar b128e7ea2d If domain can read system_dbusd_var_lib_t files, also allow symlinks 
node=localhost type=AVC msg=audit(1689811752.145:511): avc:  denied  { read } for  pid=2622 comm="lightdm-gtk-gre" name="machine-id" dev="dm-10" ino=262170 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0
node=localhost type=AVC msg=audit(1689811752.404:514): avc:  denied  { read } for  pid=2629 comm="at-spi-bus-laun" name="machine-id" dev="dm-10" ino=262170 scontext=system_u:system_r:xdm_t:s0 tcontext=system_u:object_r:system_dbusd_var_lib_t:s0 tclass=lnk_file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:47:08 -04:00
Dave Sugar 9812e9c0ef Label pwhistory_helper 
pwhistory_helper is executed by pam_pwhistory (as configued in
/etc/pam.d/sysem-auth).  It updates /etc/security/opasswd which contains
old passwords.  Label /etc/security/opasswd as shadow_t to control access.

node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { execute } for  pid=2667 comm="passwd" name="pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { read open } for  pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { execute_no_trans } for  pid=2667 comm="passwd" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689391847.287:8989): avc:  denied  { map } for  pid=2667 comm="pwhistory_helpe" path="/usr/sbin/pwhistory_helper" dev="dm-1" ino=402516 scontext=toor_u:staff_r:passwd_t:s0 tcontext=system_u:object_r:updpwd_exec_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-08-16 11:45:13 -04:00
Chris PeBenito 97e35d8845
Merge pull request #626 from dsugar100/main 
Allow local login to read /run/motd
 2023-08-02 09:36:54 -04:00
Chris PeBenito 90d3f5c339
Merge pull request #619 from 0xC0ncord/container-caps-rework 
container: rework capabilities
 2023-07-18 14:43:08 -04:00
Dave Sugar a120ea8c25 Allow local login to read /run/motd 
node=localhost type=AVC msg=audit(1689384764.155:53945): avc:  denied  { getattr } for  pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689384764.155:53946): avc:  denied  { read } for  pid=5125 comm="login" name="motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1689384764.155:53946): avc:  denied  { open } for  pid=5125 comm="login" path="/run/motd" dev="tmpfs" ino=1574 scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:object_r:pam_motd_runtime_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2023-07-18 08:13:43 -04:00
Kenton Groombridge f1e7404baa container: rework capabilities 
Rework (primarily) non-namespaced capabilities. These accesses are
leftovers from earlier policy versions before the container module was
introduced that are most likely too coarse for most container
applications.

Put all non-namespaced capability accesses for containers behind
tunables, borrowing ideas from container-selinux. For the more
privileged capabilities (sysadmin, mknod), add a tunable to control both
namespaced and non-namespaced access to these operations.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2023-07-17 09:40:09 -04:00
Chris PeBenito bee1bcb496
Merge pull request #622 from chrisschnei/zram-permission 
systemd-generator: systemd_generator_t load kernel modules used for e…
 2023-07-11 10:06:15 -04:00
Christian Schneider 26eb377014 systemd-generator: systemd_generator_t load kernel modules used for e.g. zram-generator 
Fixes:
avc:  denied  { getsched } for  pid=171 comm="zram-generator" scontext=system_u:system_r:systemd_generator_t tcontext=system_u:system_r:systemd_generator_t tclass=process permissive=1
avc:  denied  { execute } for  pid=173 comm="zram-generator" name="kmod" dev="sda2" ino=17417 scontext=system_u:system_r:systemd_generator_t tcontext=system_u:object_r:kmod_exec_t tclass=file permissive=1

Signed-off-by: Christian Schneider <christian.schneider3@gmx.net>
 2023-07-11 09:37:28 +02:00
Chris PeBenito c6424be02d
Merge pull request #623 from fajs/psi_t 
Add label and interfaces for kernel PSI files
 2023-07-06 10:29:08 -04:00
Florian Schmidt cf09279eab Add label and interfaces for kernel PSI files 
The pressure stall information (PSI) special files in /proc/pressure
currently don't have a separate file context, and so default to proc_t.
Since users need read/write permissions to those files to use PSI, and
handing out blanket permissions to proc_t is strongly discouraged,
introduce a new proc_psi_t label, as well as interfaces for it.

Signed-off-by: Florian Schmidt <flosch@nutanix.com>
 2023-07-05 15:21:46 +00:00
Chris PeBenito 4370d6bcdf
Merge pull request #625 from rmsc/main 
kubernetes: allow kubelet to read /proc/sys/vm files.
 2023-07-05 11:07:24 -04:00
Renato Caldas 34cba22df8 kubernetes: allow kubelet to read /proc/sys/vm files. 
Kubelet checks the value of '/proc/sys/vm/panic_on_oom' before starting.

Signed-off-by: Renato Caldas <renato@calgera.com>
 2023-07-03 20:05:35 +01:00
Chris PeBenito d4e64bb956
Merge pull request #621 from tormath1/tormath1/cilium 
container: fix cilium denial
 2023-06-21 15:32:33 -04:00
Mathieu Tortuyaux feaf607f3e
container: fix cilium denial 
Signed-off-by: Mathieu Tortuyaux <mtortuyaux@microsoft.com>
 2023-06-21 09:24:25 +02:00
Chris PeBenito d6b44b9c4f
Merge pull request #620 from 0xC0ncord/chromium-userns 
chromium: allow chromium-naclhelper to create user namespaces
 2023-06-19 15:22:07 -04:00
Kenton Groombridge 6ac468d24e
chromium: allow chromium-naclhelper to create user namespaces 
Closes: https://github.com/SELinuxProject/refpolicy/issues/605
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2023-05-25 16:58:06 -04:00
Chris PeBenito 429b26878b
Merge pull request #607 from bluca/mempressure 
Add support for memory pressure notifications protocol
 2023-05-18 09:13:34 -04:00
Chris PeBenito 6f8056dd3f
Merge pull request #618 from plsph/zfs_t-blkid 
Keep context of blkid file/dir when created by zpool.
 2023-05-18 09:13:13 -04:00
Grzegorz Filo 80d52aa4f6 Keep context of blkid file/dir when created by zpool. 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-15 19:33:41 +02:00
Chris PeBenito 8f563f58ea
Merge pull request #615 from plsph/zfs-dir-transition 
Dir transition goes with dir create perms.
 2023-05-03 09:31:45 -04:00
Chris PeBenito 9ef053d6c5
Merge pull request #614 from plsph/initrc-zfs-config 
Allow initrc_t read zfs config files.
 2023-05-03 09:27:25 -04:00
Grzegorz Filo d769f31966 Dir transition goes with dir create perms. 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-03 10:54:59 +02:00
Grzegorz Filo 232b4ab271 Shell functions used during boot by initrc_t shall be bin_t and defined in corecommands.fc 
Signed-off-by: Grzegorz Filo <gf578@wp.pl>
 2023-05-03 09:42:34 +02:00
Chris PeBenito d22e18a3d5
Merge pull request #612 from jcpunk/local-path-provisioner 
container: set default context for local-path-provisioner
 2023-04-28 16:47:28 -04:00
Pat Riehecky f52070b3cf container: set default context for local-path-provisioner 
The kubernetes local-path-provisioner uses either
/opt/local-path-provisioner or
/var/local-path-provisioner for its physical volumes

Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
 2023-04-28 15:16:46 -05:00
Chris PeBenito ad527f9f62
Merge pull request #592 from montjoie/update-smart-drivedb 
fsadm: add domain for update-smart-drivedb
 2023-04-17 10:23:49 -04:00
Chris PeBenito 218c42f592
Merge pull request #608 from montjoie/dovecot 
dovecot: add missing permissions
 2023-04-17 10:17:53 -04:00
Corentin LABBE ac6b47c71d dovecot: add missing permissions 
I use dovecot for IMAP hosting and several rules are missing.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-04-11 10:51:03 +02:00
Corentin LABBE cb068f09d2 smartmon: add domain for update-smart-drivedb 
update-smart-drivedb is a fsadm_t like but with access to network, so
Since it do network access, and dont access any hardware, let's add its own domain.

Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
 2023-04-11 10:31:52 +02:00
Chris PeBenito 7831981d0d
Merge pull request #609 from freedom1b2830/master 
path marking for vlc(mplayer_t)
 2023-04-06 09:41:39 -04:00
Chris PeBenito 7815e4859c
Merge pull request #610 from gtrentalancia/master 
pulseaudio: restrict network access
 2023-04-06 09:05:02 -04:00
freedom1b2830 a098f2bd52
mplayer:vlc paths 
Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
 2023-04-05 17:07:43 +00:00
Guido Trentalancia 8f7064490d The pulseaudio daemon and client do not normally need to use 
the network for most computer systems that need to play and
record audio.

So, network access by pulseaudio should normally be restricted.

This patch restricts all network access by using tunable policy
and a new boolean to control it.

Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
---
 policy/modules/apps/pulseaudio.te |   47 ++++++++++++++++++++++++--------------
 1 file changed, 30 insertions(+), 17 deletions(-)
 2023-04-05 16:06:19 +02:00
Luca Boccassi d0d4e8fd73 systemd: allow daemons to access memory.pressure 
These services are hooked up to the memory.pressure interface, so
allow them to access the file.

Jan 26 08:12:21 localhost audit[202]: AVC avc:  denied  { getattr } for  pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[379]: AVC avc:  denied  { getattr } for  pid=379 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:01 localhost audit[475]: AVC avc:  denied  { getattr } for  pid=475 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:02 localhost audit[491]: AVC avc:  denied  { getattr } for  pid=491 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:49:02 localhost audit[490]: AVC avc:  denied  { write } for  pid=490 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[202]: AVC avc:  denied  { getattr } for  pid=202 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[382]: AVC avc:  denied  { getattr } for  pid=382 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1463 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[479]: AVC avc:  denied  { getattr } for  pid=479 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1595 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[493]: AVC avc:  denied  { getattr } for  pid=493 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 10 19:57:56 localhost audit[492]: AVC avc:  denied  { write } for  pid=492 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1826 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[204]: AVC avc:  denied  { getattr } for  pid=204 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[316]: AVC avc:  denied  { getattr } for  pid=316 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[359]: AVC avc:  denied  { getattr } for  pid=359 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[350]: AVC avc:  denied  { write } for  pid=350 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[203]: AVC avc:  denied  { getattr } for  pid=203 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=526 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[312]: AVC avc:  denied  { getattr } for  pid=312 comm="systemd-resolve" path="/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure" dev="cgroup2" ino=1234 scontext=system_u:system_r:systemd_resolved_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[351]: AVC avc:  denied  { getattr } for  pid=351 comm="systemd-network" path="/sys/fs/cgroup/system.slice/systemd-networkd.service/memory.pressure" dev="cgroup2" ino=1564 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[342]: AVC avc:  denied  { write } for  pid=342 comm="systemd-logind" name="memory.pressure" dev="cgroup2" ino=1531 scontext=system_u:system_r:systemd_logind_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Jan 26 08:12:21 localhost audit[201]: AVC avc:  denied  { open } for  pid=201 comm="systemd-journal" path="/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure" dev="cgroup2" ino=557 scontext=system_u:system_r:syslogd_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0
Mar 13 17:00:57 localhost audit[490]: AVC avc:  denied  { open } for  pid=490 comm="systemd-portabl" path="/sys/fs/cgroup/system.slice/systemd-portabled.service/memory.pressure" dev="cgroup2" ino=1859 scontext=system_u:system_r:systemd_portabled_t tcontext=system_u:object_r:cgroup_t tclass=file permissive=0

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:02:11 +00:00
Luca Boccassi 6ecba6ff80 systemd: also allow to mounton memory.pressure 
Mar 15 22:15:35 localhost audit[1607]: AVC avc:  denied  { mounton } for  pid=1607 comm="(esetinfo)" path="/run/systemd/unit-root/sys/fs/cgroup/system.slice/socresetinfo.service/memory.pressure" dev="cgroup2" ino=2522 scontext=system_u:system_r:init_t tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=1

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:00:48 +00:00
Luca Boccassi 6dd2c3bcd1 Add separate label for cgroup's memory.pressure files 
Required to enable notifications on memory pressure events, need to
write to the file to start receiving them. This will be used by all
systemd daemons, and eventually external daemons that subscribe to the
same interface too.

See: https://github.com/systemd/systemd/blob/main/docs/MEMORY_PRESSURE.md

Signed-off-by: Luca Boccassi <luca.boccassi@microsoft.com>
 2023-03-17 13:00:48 +00:00
Chris PeBenito 8e8f5e3ca3
Merge pull request #606 from yizhao1/systemd-resolved 
systemd: allow systemd-resolved to search directories on tmpfs and ramfs
 2023-03-17 08:40:27 -04:00
Yi Zhao c75a32f2be systemd: allow systemd-resolved to search directories on tmpfs and ramfs 
Fixes:
avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=1

avc:  denied  { search } for  pid=233 comm="systemd-resolve" name="/"
dev="ramfs" ino=813 scontext=system_u:system_r:systemd_resolved_t
tcontext=system_u:object_r:ramfs_t tclass=dir permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2023-03-15 10:57:55 +08:00
Chris PeBenito 7416ac14f9
Merge pull request #603 from 0xC0ncord/various-20230224 
More various fixes
 2023-03-13 09:18:13 -04:00
Kenton Groombridge 9b4e8bd875 kubernetes: allow kubelet to read etc runtime files 
To read /etc/machine-id.

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge bf546e4c4f glusterfs: allow glusterd to bind to all TCP unreserved ports 
Port 32767 seems to be needed by glfs_timer

type=SYSCALL msg=audit(1678151692.991:193): arch=c000003e syscall=49 success=no exit=-13 a0=7 a1=43bc7241350 a2=10 a3=3968 items=0 ppid=1 pid=2401 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="glfs_timer" exe="/usr/bin/glusterfsd" subj=system_u:system_r:glusterd_t:s0 key=(null)
type=AVC msg=audit(1678151692.991:193): avc:  denied  { name_bind } for pid=2401 comm="glfs_timer" src=32767 scontext=system_u:system_r:glusterd_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=tcp_socket permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 228e8e3f15 fstools: allow fsadm to read utab 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 6ad1768065 raid: allow mdadm to create generic links in /dev/md 
Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00
Kenton Groombridge 69e6c33c46 raid: allow mdadm to read udev runtime files 
This fixes this AVC:

avc:  denied  { getattr } for  pid=2238 comm="mdadm" path="/run/udev" dev="tmpfs" ino=52 scontext=system_u:system_r:mdadm_t:s0 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=0

Signed-off-by: Kenton Groombridge <me@concord.sh>
 2023-03-10 15:10:59 -05:00