Yi Zhao
75492f95f7
systemd: make xdg optional
...
Make xdg optional to avoid a potential build error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-07-12 19:23:06 +08:00
Chris PeBenito
6cacc4871a
Merge pull request #791 from pebenito/quic_nakella-bluetoothctl
...
Setting bluetooth helper domain for bluetoothctl
2024-07-01 15:24:37 -04:00
Chris PeBenito
b3c272d6ac
Merge pull request #790 from pebenito/quic_rbujala-pulseaudio
...
Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.
2024-07-01 15:17:54 -04:00
Chris PeBenito
73c2c68ee7
Merge pull request #789 from yizhao1/update
...
userdomain: allow administrative user to get attributes of shadow his…
2024-07-01 15:12:24 -04:00
Naga Bhavani Akella
b57b6005c5
Setting bluetooth helper domain for bluetoothctl
...
Required for fixing the below avc denials -
1. audit: type=1400 audit(1651238006.276:496):
avc: denied { read write } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
2. audit: type=1400 audit(1651238006.276:497):
avc: denied { getattr } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
3. audit: type=1400 audit(1651238006.272:495):
avc: denied { read write } for pid=689 comm="dbus-daemon"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
4. audit[1894]: AVC avc: denied { read write } for pid=1894
comm="bluetoothctl" path="/dev/pts/0" dev="devpts" ino=3
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:object_r:initrc_devpts_t:s0
tclass=chr_file permissive=0
5. audit[2022]: AVC avc: denied { use } for pid=2022
comm="bluetoothctl" path="socket:[25769]" dev="sockfs" ino=25769
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
6. audit[2006]: AVC avc: denied { read write } for pid=2006
comm="bluetoothctl" path="socket:[21106]" dev="sockfs" ino=21106
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
2024-07-01 14:48:07 -04:00
Raghavender Reddy Bujala
30f451d6a4
Adding Sepolicy rules to allow pulseaudio to access bluetooth sockets.
...
pulseaudio uses bluetooth sockets for HFP-AG and
HSP-HS profile to do SLC and SCO connection with
remote.
avc: denied { create } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { bind } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { listen } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { accept } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { getopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { setopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { read } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { write } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { shutdown } for pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { connect } for pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
Signed-off-by: Raghavender Reddy Bujala <quic_rbujala@quicinc.com>
2024-07-01 14:46:40 -04:00
Yi Zhao
5f7f494d19
userdomain: allow administrative user to get attributes of shadow history file
...
Before the patch:
root@qemux86-64:~# ls -lZ /etc/security/opasswd
-?????????? ? ? ? ? ? ? /etc/security/opasswd
After the patch:
root@qemux86-64:~# ls -lZ /etc/security/opasswd
-rw-------. 1 root root user_u:object_r:shadow_history_t 237 Jun 30 12:03 /etc/security/opasswd
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-06-30 22:27:12 +08:00
Chris PeBenito
7c797909a2
Merge pull request #787 from 0xC0ncord/various/20240515
...
Various fixes
2024-06-28 13:25:54 -04:00
Kenton Groombridge
0126cb1e66
node_exporter: allow reading RPC sysctls
...
For NFS mounts.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 12:21:42 -04:00
Kenton Groombridge
9c90f9f7d9
asterisk: allow reading certbot lib
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 12:21:42 -04:00
Kenton Groombridge
bfcaec9bab
postfix: allow postfix pipe to watch mail spool
...
type=AVC msg=audit(1719451104.395:18364): avc: denied { watch } for pid=288883 comm="deliver" path="/var/spool/mail/domains/concord.sh/me@concord.sh/mail/dovecot-uidlist.lock" dev="dm-0" ino=17638966 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 12:21:42 -04:00
Kenton Groombridge
06a80c3d8a
netutils: allow ping to read net sysctls
...
ping will check whether IPv6 is disabled.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 12:21:42 -04:00
Kenton Groombridge
2e0509c9e7
node_exporter: allow reading localization
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 12:21:42 -04:00
Kenton Groombridge
50a8cddd10
container: allow containers to execute tmpfs files
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 12:21:41 -04:00
Chris PeBenito
ae71af8b4f
Merge pull request #786 from 0xC0ncord/haproxy
...
Initial policy for haproxy
2024-06-28 11:34:45 -04:00
Chris PeBenito
790ab4ee96
Merge pull request #788 from freedom1b2830/main
...
C-005 Cleanup (Reorder perms and classes)(rebased)
2024-06-28 10:51:32 -04:00
Kenton Groombridge
09a747a16d
sysadm: make haproxy admin
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:52:40 -04:00
Kenton Groombridge
c8c3ae2cba
haproxy: initial policy
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:52:37 -04:00
Kenton Groombridge
4e97f87cee
init: use pidfds from local login
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:36:57 -04:00
Kenton Groombridge
7fd9032d88
dbus, init: add interface for pidfd usage
...
Commit 4e7511f4a
previously added access for init to use DBUS system bus
file descriptors while the intended access was for pidfds. Add an
interface for pidfd usage so that when pidfds are eventually handled
separately from regular fds, this interface can be adjusted.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:36:57 -04:00
Kenton Groombridge
a6d6921a9c
asterisk: allow watching spool dirs
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:36:57 -04:00
Kenton Groombridge
72c1d912ff
su, sudo: allow sudo to signal all su domains
...
sudo sends a SIGWINCH to child processes when invoked. If an
administrator uses sudo in the fashion of "sudo su - root", sudo will
send a signal to the corresponding su process.
type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74
type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
type=AVC msg=audit(1715721229.386:293930): avc: denied { signal } for pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:36:57 -04:00
Kenton Groombridge
8b31782480
sudo: allow systemd-logind to read cgroup state of sudo
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:36:57 -04:00
Kenton Groombridge
871f0b0dd7
postfix: allow smtpd to mmap SASL keytab files
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:36:57 -04:00
Kenton Groombridge
578375480d
sysnetwork: allow ifconfig to read usr files
...
ip wants to read files in /usr/share/iproute2.
type=AVC msg=audit(1715785441.968:297208): avc: denied { read } for pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:36:57 -04:00
Kenton Groombridge
6916e9b20c
systemd: allow systemd-logind to use sshd pidfds
...
This is to avoid a long timeout in pam_systemd when logging on. This is
the second half of the fix described in
ddc6ac493c
.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-06-28 09:36:57 -04:00
freedom1b2830
96ebb7c4e0
Reorder perms and classes
...
Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
2024-06-28 05:37:18 +00:00
Chris PeBenito
eca307c232
Merge pull request #785 from pebenito/sediff
...
tests.yml: Add policy diff on PRs.
2024-06-27 09:59:38 -04:00
Chris PeBenito
cb68df0873
tests.yml: Add policy diff on PRs.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2024-06-27 09:32:25 -04:00
Chris PeBenito
99258825ce
tests.yml: Divide into reusable workflows.
...
Keep artifacts from each to allow analysis when there are failures.
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2024-06-27 09:31:38 -04:00
freedom1b2830
1e4b689301
Reorder perms and classes
...
Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
2024-06-16 15:41:05 +00:00
Chris PeBenito
04eca2fa9b
Merge pull request #770 from pebenito/systemd-analyze
...
Misc fixes
2024-06-06 12:07:27 -04:00
Chris PeBenito
c920fc5d9e
Merge pull request #781 from yizhao1/selinuxutil
...
selinuxutil: make policykit optional
2024-06-05 19:48:02 -04:00
Chris PeBenito
c963ddfae0
Merge pull request #782 from pebenito/quic_amisjain-bt-uhid
...
Sepolicy changes for bluez to access uhid
2024-06-05 19:42:16 -04:00
Chris PeBenito
2102055d4d
devices: Change dev_rw_uhid() to use a policy pattern.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2024-06-05 15:26:56 -04:00
Chris PeBenito
1cbe455a5e
device: Move dev_rw_uhid definition.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2024-06-05 15:25:24 -04:00
Amisha Jain
7a33b4bc87
Sepolicy changes for bluez to access uhid
...
Resolve selinux premission for HID
Below avc denials that are fixed with this patch -
avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Amisha Jain <quic_amisjain@quicinc.com>
2024-06-05 14:50:39 -04:00
Yi Zhao
c6dd4087de
selinuxutil: make policykit optional
...
Make policykit optional to avoid a potential build error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-06-05 10:52:34 +08:00
Chris PeBenito
d53aa53110
Merge pull request #779 from yizhao1/fixes
...
Fixes for dhcpcd and newrole
2024-06-04 10:05:54 -04:00
Chris PeBenito
50a1ee7e9c
Merge pull request #780 from pebenito/quic_nakella-gatt
...
Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.
2024-06-04 09:54:45 -04:00
Yi Zhao
10feb47e55
newrole: allow newrole to search faillock runtime directory
...
Allow newrole to search the /run/faillock directory, otherwise the
faillock mechanism will not work for neworle.
Before the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
After the patch (pam faillock deny=3):
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
Password:
newrole: incorrect password for root
root@intel-x86-64:~# newrole -r sysadm_r
The account is locked due to 3 failed logins.
(1 minute left to unlock)
Password:
Fixes:
avc: denied { search } for pid=508 comm="newrole" name="faillock"
dev="tmpfs" ino=582 scontext=root:sysadm_r:newrole_t:s0-s15:c0.c1023
tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-06-04 21:18:58 +08:00
Yi Zhao
bf34d3e5e8
sysnetwork: fixes for dhcpcd
...
Allow dhcpcd to create netlink socket and read files under /run/udev/.
Fixes:
avc: denied { search } for pid=393 comm="dhcpcd" name="udev" dev="tmpfs"
ino=49 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=1
avc: denied { create } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1
avc: denied { getopt } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1
avc: denied { setopt } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1
avc: denied { bind } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1
avc: denied { getattr } for pid=393 comm="dhcpcd"
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1
avc: denied { read } for pid=393 comm="dhcpcd" name="n1" dev="tmpfs"
ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1
avc: denied { open } for pid=393 comm="dhcpcd" path="/run/udev/data/n1"
dev="tmpfs" ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1
avc: denied { getattr } for pid=393 comm="dhcpcd"
path="/run/udev/data/n1" dev="tmpfs" ino=222
scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023
tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
2024-06-04 21:12:36 +08:00
Naga Bhavani Akella
4663e613f0
Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix stream sockets.
...
Required for using acquire-notify, acquire-write options (Gatt Client)
and Sending notifications (Gatt Server)
Below are the avc denials that are fixed with this patch -
1. audit: type=1400 audit(315966559.395:444):
avc: denied { use } for pid=710 comm="dbus-daemon"
path="socket:[13196]" dev="sockfs" ino=13196
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
2. audit: type=1400 audit(315999854.939:523):
avc: denied { read write } for pid=812 comm="dbus-daemon"
path="socket:[99469]" dev="sockfs" ino=99469
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=bluetooth_socket permissive=1
Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2024-06-04 09:08:18 -04:00
Chris PeBenito
af26e63697
Merge pull request #778 from 0xC0ncord/various-20240506
...
Various fixes
2024-05-13 08:38:14 -04:00
Kenton Groombridge
27602a932b
various: various fixes
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:37 -04:00
Kenton Groombridge
63d50bbaa3
container, crio, kubernetes: minor fixes
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:37 -04:00
Kenton Groombridge
11e729e273
container, podman: various fixes
...
Various fixes for containers and podman, mostly centered around quadlet
and netavark updates.
One particular change which may stand out is allowing podman_conmon_t to
IOCTL container_file_t files. I wish I could know why this was hit, but
I don't. The relevant AVC is:
type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762
type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-command-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7"
type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null)
type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:29 -04:00
Kenton Groombridge
ef5954a0e9
systemd: allow systemd-sysctl to search tmpfs
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:29 -04:00
Kenton Groombridge
472e0442e7
container: allow containers to getcap
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:29 -04:00
Kenton Groombridge
7876e51510
container: allow system container engines to mmap runtime files
...
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
2024-05-09 10:13:29 -04:00