The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:
* Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]
Granting only setcap (initial AVC seen) does not fully help either:
* Starting syslog-ng ...
Error managing capability set, cap_set_proc returned an error;
With setcap and getcap enabled, syslog-ng starts and functions fine.
See also https://bugs.gentoo.org/show_bug.cgi?id=488718
Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
With new userspace, trying to build a SELinux policy (and load it)
fails:
~# semodule -B
libsemanage.semanage_install_active: Unable to create sybolic link from
/etc/selinux/mcs/modules/active/policy.kern to
/etc/selinux/mcs/policy/policy.28 error code 0. (Permission denied).
AVC shows a denial for the semodule command, running as semanage_t,
trying to create a lnk_file in semanage_module_t.
In debian mount was trying to list / on a tmpfs (/run/lock). Since
var_lock_t is a mountpoint type, and so is mnt_t, i decided to implement
a files_list_all_mountpoints() and call that for mount because it makes
sense
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
udevadm wants to create files in /run/udev/data. It writes to udev_tbl_t
directories
udev_t runs udisks-lvm-pv-export with a domain transition to lvm_t
udev: remove compromise_kernel capability2 av perm as its currently not
supported in reference policy
udev: udevadm managing udev_tbl_t symbolic links (/run/udev/watch/6)
udev: udevd manages control udev_tbl_t type socket
udev: udevd manages udev_tbl_t directories
named files pid filetrans for /run/udev directory
udev: lets just label /run/udev type udev_var_run_t and get it over with
udev: make the files_pid_filetrans more specific because it appears that
udev also creates directories in /run that we dont want to have created
with type udev_var_run_t (/run/avahi-daemon in Debian)
udev: udev-acl.ck uses dbus system bus fds
udev: sends dbus message to consolekit manager:
OpenSessionWithParameters
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
On Gentoo, slim files are not in /var/run/slim, but directly in
/var/run. All names start with slim though, so changing the expression
to match those as well.
There is already a file transition in place (xdm_t writing files in
var_run_t -> xdm_var_run_t) so that needs no further changes.
Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When ping is installed with capabilities instead of being marked setuid,
then the ping_t domain needs to be allowed to getcap/setcap.
Reported-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Also known as 'vmchannel', a transport mechanism is needed for
communication between the host userspace and guest userspace for
achieving things like making clipboard copy/paste work seamlessly across
the host and guest, locking the guest screen in case the vnc session to
the guest is closed and so on. This can be used in offline cases as
well, for example with libguestfs to probe which file systems the guest
uses, the apps installed, etc.
Virtio-serial is just the transport protocol that will enable such
applications to be written. It has two parts: (a) device emulation in
qemu that presents a virtio-pci device to the guest and (b) a guest
driver that presents a char device interface to userspace applications.
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
