nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,068 Commits 1 Branch 0 Tags 16 MiB
f9595d30ff
Commit Graph

7068 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Christian Göttsche
f9595d30ff Makefile: set PYTHONPATH for test toolchain 
In case of a non-default toolchain also set the environment variable
PTYHONPATH to run sepolgen related python code from that toolchain.
See scripts/env_use_destdir in the SELinux userland repository.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 20:21:35 +01:00
Christian Göttsche
426cbc3dac Makefile: use sepolgen-ifgen-attr-helper from test toolchain 
When building with a non default toolchain by setting the environment
variable TEST_TOOLCHAIN also use the sepolgen-ifgen helper binary
sepolgen-ifgen-attr-helper from this toolchain.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:41:37 +01:00
Christian Göttsche
82eca136e6 Rules.modular: use temporary file to not ignore error 
Save the result of the m4 command into a temporary file and split the
commands, to avoid ignoring failures of the first command.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:41:37 +01:00
Christian Göttsche
752ebc167b Rules.monolithic: pre-compile fcontexts on install 
On install pre-compile the file contexts.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:41:37 +01:00
Christian Göttsche
d008f97a4d policy_capabilities: remove estimated from released versions 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:28:11 +01:00
Christian Göttsche
ec28725235 Support multi-line interface calls 
Support splitting the call of an interface over multiple lines, e.g. for
interfaces with a long list as argument:

    term_control_unallocated_ttys(udev_t, {
	    ioctl_kdgkbtype
	    ioctl_kdgetmode
	    ioctl_pio_unimap
	    ioctl_pio_unimapclr
	    ioctl_kdfontop
	    ioctl_tcgets
    })

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:27:36 +01:00
Christian Göttsche
bdd5036d7a fix misc typos 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:24:25 +01:00
Christian Göttsche
c781fb74c9 support/genhomedircon: support usr prefixed paths 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:12:56 +01:00
Christian Göttsche
b215f46531 access_vectors: define io_uring { cmd } 
Added in Linux 6.0.

Link: f4d653dcaa
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:12:36 +01:00
Chris PeBenito
612a569b5d
Merge pull request #755 from 0xC0ncord/various-20230112 
Various fixes
 2024-02-21 15:47:20 -05:00
Kenton Groombridge
1c534f04b5 kubernetes: allow kubelet to apply fsGroup to persistent volumes 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:33:39 -05:00
Kenton Groombridge
fa3cf4f197 container: allow spc to map kubernetes runtime files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:33:39 -05:00
Kenton Groombridge
fb548b6a72 crio: allow reading container home content 
CRI-O will read container registry configuration data from the running
user's home (root) and will abort if unable to do so.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
4634f7a0fe systemd: allow systemd generator to list exports 
This is needed now that /etc/exports.d is labeled appropriately.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
22b65cba5e dbus: allow the system bus to get the status of generic units 
dbus-broker checks the status of systemd-logind.

type=USER_AVC msg=audit(1705109503.237:123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=101 path="/usr/lib /systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:37 -05:00
Kenton Groombridge
6d5271cb18 rpc: fix not labeling exports.d directory 
Fix the filecon for /etc/exports.d to also label the directory itself.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:24 -05:00
Kenton Groombridge
f0fc6cd236 bootloader, init, udev: misc minor fixes 
Resolve these AVCs seen during early boot with systemd 255:

Jan 12 15:42:02 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092122.714:4): avc:  denied  { create } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0

Jan 12 15:42:03 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092123.656:7): avc:  denied  { setrlimit } for  pid=2578 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:udev_t:s0 tclass=process permissive=0

Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.960:9): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.961:10): avc:  denied  { write } for  pid=2629 comm="sysctl" name="nlm_udpport" dev="proc" ino=31905 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.963:11): avc:  denied  { write } for  pid=2632 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0

Jan 12 15:42:08 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092128.530:16): avc:  denied  { net_admin } for  pid=3033 comm="bootctl" capability=12  scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:bootloader_t:s0 tclass=capability permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:31:08 -05:00
Kenton Groombridge
85fc7fda17 systemd: label systemd-tpm2-setup as systemd-pcrphase 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
4e7511f4ac init: allow using system bus anon pidfs 
Seen with systemd 255. This initially did not seem to impact anything,
but after a while I found that the kubernetes kubelet agent would not
start without this access.

type=AVC msg=audit(1705092131.239:37): avc:  denied  { use } for  pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
29a5cc1abc kernel: allow managing mouse devices 
Seen with systemd 255.

type=AVC msg=audit(1705092132.309:64): avc:  denied  { getattr } for  pid=178 comm="kdevtmpfs" path="/input/mouse0" dev="devtmpfs" ino=328 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:52): avc:  denied  { setattr } for  pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:53): avc:  denied  { unlink } for  pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
fbbed63769 zfs: allow zfs to write to exports 
Needed by zfs-mount.service.

type=PROCTITLE msg=audit(1705092131.987:49): proctitle=2F7362696E2F7A6673007368617265002D61
type=SYSCALL msg=audit(1705092131.987:49): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=665f44189eba a2=80042 a3=180 items=0 ppid=1 pid=3082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zfs" exe="/usr/bin/zfs" subj=system_u:system_r:zfs_t:s0 key=(null)
type=AVC msg=audit(1705092131.987:49): avc:  denied  { write } for  pid=3082 comm="zfs" name="zfs.exports.lock" dev="dm-0" ino=1296 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:exports_t:s0 tclass=file permissive=0

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:53 -05:00
Kenton Groombridge
8ef4c98c77 systemd: label systemd-pcrlock as systemd-pcrphase 
Label the systemd-pcrlock binary as systemd_pcrphase_exec_t.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:52 -05:00
Kenton Groombridge
29d02c3efa kubernetes: fix kubelet accounting 
The kubelet routinely measures metrics and accounting for all
containers which involves calculating resource utilization for both
running containers and the contents of their images on disk.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:25 -05:00
Kenton Groombridge
2912f56e88 container, kubernetes: allow kubernetes to use fuse-overlayfs 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:30:24 -05:00
Kenton Groombridge
489051ff99 systemd: add policy for systemd-machine-id-setup 
systemd-machine-id-setup's role is to commit the host's machine id
to /etc/machine-id. The behavior of this process has changed slightly,
whereby a tmpfs is temporarily created on top of /etc/machine-id during
boot which is then read by systemd-machine-id-setup and written directly
to the underlying file.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:29:43 -05:00
Kenton Groombridge
8b26a7ccf3 init, systemd: allow systemd-pcrphase to write TPM measurements 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:29:43 -05:00
Chris PeBenito
63698fee31
Merge pull request #756 from 0xC0ncord/rook-ceph 
Add support for rook-ceph in kubernetes
 2024-02-21 14:29:00 -05:00
Chris PeBenito
d11ca7a2b5
Merge pull request #752 from dsugar100/systemd_noatsecure 
Needed to allow environment variable to process started (for cockpit)
 2024-02-21 14:12:29 -05:00
Chris PeBenito
883cfaed99
Merge pull request #754 from yizhao1/systemd 
Fixes for systemd 255
 2024-02-21 14:01:17 -05:00
Kenton Groombridge
1305fd7be1 container: add filecons for rook-ceph 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-10 21:10:38 -05:00
Kenton Groombridge
08adc2fadb kernel: dontaudit read fixed disk devices 
This is triggered rook-ceph creates its OSDs.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-09 15:12:00 -05:00
Kenton Groombridge
5ab2cf6a6a container, kubernetes: add support for rook-ceph 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-09 15:11:58 -05:00
Kenton Groombridge
dad409e58b fstools: allow reading container device blk files 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-07 19:20:30 -05:00
Kenton Groombridge
5703d3fdb9 fstools: allow fsadm to ioctl cgroup dirs 
When kubelet calls losetup, it will transition to the fsadm_t domain and
need to access block devices in containers.

Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-07 18:20:35 -05:00
Kenton Groombridge
0bec2f68f7 mount: make mount_runtime_t a kubernetes mountpoint 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-07 18:18:24 -05:00
Yi Zhao
3d565b0a3a udev: fix for systemd-udevd 
Fixes:
avc:  denied  { setrlimit } for  pid=194 comm="systemd-udevd"
scontext=system_u:system_r:udev_t tcontext=system_u:system_r:udev_t
tclass=process permissive=0

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-02-04 12:52:54 +08:00
Yi Zhao
9d3513c7fa systemd: allow systemd-rfkill to getopt from uevent sockets 
Fixes:
avc:  denied  { getopt } for  pid=313 comm="systemd-rfkill"
scontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
tcontext=system_u:system_r:systemd_rfkill_t:s0-s15:c0.c1023
tclass=netlink_kobject_uevent_socket permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-02-04 11:18:38 +08:00
Yi Zhao
ecc6e3ccde systemd: allow systemd-hostnamed to read machine-id and localization files 
Fixes:
avc:  denied  { read } for  pid=533 comm="systemd-hostnam"
name="machine-id" dev="sdb2" ino=196
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=533 comm="systemd-hostnam"
path="/etc/machine-id" dev="sdb2" ino=196
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:etc_runtime_t:s0 tclass=file permissive=1

avc:  denied  { search } for  pid=533 comm="systemd-hostnam"
name="zoneinfo" dev="sdb2" ino=22345
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=dir permissive=1

avc:  denied  { read } for  pid=533 comm="systemd-hostnam"
name="Universal" dev="sdb2" ino=22959
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

avc:  denied  { open } for  pid=533 comm="systemd-hostnam"
path="/usr/share/zoneinfo/Universal" dev="sdb2" ino=22959
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

avc:  denied  { getattr } for  pid=533 comm="systemd-hostnam"
path="/usr/share/zoneinfo/Universal" dev="sdb2" ino=22959
scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:locale_t:s0 tclass=file permissive=1

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 2024-02-04 11:07:53 +08:00
Chris PeBenito
504feb7a98
Merge pull request #740 from dsugar100/cockpit 
Add SELinux policy for cockpit
 2024-01-30 14:05:04 -05:00
Dave Sugar
882830d642 Resolve error when cockpit initiate shutdown 
node=localhost type=AVC msg=audit(1705937785.855:1258): avc:  denied  { create } for  pid=1741 comm="systemd-logind" name=".#scheduleddAhZqh" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1705937817.548:1268): avc:  denied  { create } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1268): avc:  denied  { read write open } for  pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1269): avc:  denied  { setattr } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1270): avc:  denied  { getattr } for  pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1271): avc:  denied  { rename } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1272): avc:  denied  { write } for  pid=1741 comm="systemd-logind" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1272): avc:  denied  { add_name } for  pid=1741 comm="systemd-logind" name=".#nologin0EGTLr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1273): avc:  denied  { remove_name } for  pid=1741 comm="systemd-logind" name=".#nologin3EGTLr" dev="tmpfs" ino=1804 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:32:13 -05:00
Dave Sugar
08ea30252e Fix password changing from cockpit login screen 
node=localhost type=AVC msg=audit(1705071167.616:1344): avc:  denied  { write } for  pid=6560 comm="cockpit-session" name="etc" dev="dm-1" ino=393220 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1705071268.820:1383): avc:  denied  { write } for  pid=6588 comm="cockpit-session" name="etc" dev="dm-1" ino=393220 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705071268.820:1383): avc:  denied  { add_name } for  pid=6588 comm="cockpit-session" name="nshadow" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705071268.826:1384): avc:  denied  { remove_name } for  pid=6588 comm="cockpit-session" name="nshadow" dev="dm-1" ino=393552 scontext=system_u:system_r:cockpit_session_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:32:13 -05:00
Dave Sugar
d80c8f421f Denial during cockpit use 
node=localhost type=USER_AVC msg=audit(1702256090.674:226515): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  denied  { status } for auid=n/a uid=0 gid=0 path="/usr/lib/systemd/system/chronyd.service" cmdline="/usr/lib/systemd/systemd-timedated" function="mac_selinux_filter" scontext=system_u:system_r:ntpd_t:s0 tcontext=system_u:object_r:chronyd_unit_t:s0 tclass=service permissive=0 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=?  terminal=?' UID="root" AUID="unset" AUID="root" UID="root" GID="root" SAUID="root"

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:32:08 -05:00
Dave Sugar
a95feb6cdd Additional access for systemctl 
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { search } for  pid=2071 comm="systemctl" name="kernel" dev="proc" ino=5 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=dir permissive=1
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { read } for  pid=2071 comm="systemctl" name="cap_last_cap" dev="proc" ino=65 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1
Nov 26 16:23:29 localhost.localdomain audisp-syslog[1662]: node=localhost type=AVC msg=audit(1701015809.183:8712): avc:  denied  { open } for  pid=2071 comm="systemctl" path="/proc/sys/kernel/cap_last_cap" dev="proc" ino=65 scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysctl_kernel_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Dave Sugar
c6d904fcb4 Add watches 
node=localhost type=AVC msg=audit(1701960388.658:45746): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/" dev="dm-1" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.457:46142): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/etc/motd" dev="dm-1" ino=524363 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1701960389.538:46261): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/var" dev="dm-9" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.539:46264): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/var/lib" dev="dm-9" ino=262145 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:var_lib_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.472:46167): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/run/systemd" dev="tmpfs" ino=2 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701960389.473:46170): avc:  denied  { watch } for  pid=7282 comm="cockpit-bridge" path="/run/systemd/shutdown" dev="tmpfs" ino=99 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=dir permissive=0
node=localhost type=AVC msg=audit(1701966176.317:51985): avc:  denied  { watch } for  pid=7186 comm="cockpit-bridge" path="/run/utmp" dev="tmpfs" ino=94 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=system_u:object_r:initrc_runtime_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Dave Sugar
b4d2d588f8 Add dontaudit to quiet down a bit 
node=localhost type=AVC msg=audit(1702086779.746:35710): avc:  denied  { execute } for  pid=2790 comm="cockpit-bridge" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=18 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:user_tmpfs_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1702086784.802:36735): avc:  denied  { execute } for  pid=2849 comm="cockpit-bridge" path=2F726F6F742F23363535333931202864656C6574656429 dev="dm-1" ino=655391 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:default_t:s0 tclass=file permissive=0
/var/log/audit/audit.log:node=localhost type=AVC msg=audit(1702086784.803:36742): avc:  denied  { execute } for  pid=2849 comm="cockpit-bridge" path=2F233330363834202864656C6574656429 dev="dm-1" ino=30684 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:etc_runtime_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1702069242.629:385266): avc:  denied { execute } for  pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Dave Sugar
fcfffd4a2c Allow key manipulation 
node=localhost type=AVC msg=audit(1701897597.942:245462): avc:  denied { create } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { write } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { search } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1
node=localhost type=AVC msg=audit(1701897597.942:245464): avc:  denied { link } for  pid=14658 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_systemd_t:s0-s0:c0.c1023 tclass=key permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Dave Sugar
b34ce38bfd admin can read/write web socket 
node=localhost type=AVC msg=audit(1701889206.489:120065): avc:  denied { use } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=fd permissive=1
node=localhost type=AVC msg=audit(1701889206.489:120065): avc:  denied { read write } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701889206.500:120084): avc:  denied { ioctl } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 ioctlcmd=0x5401 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701889207.271:120489): avc:  denied { write } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701889207.279:120491): avc:  denied { read } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=unix_stream_socket permissive=1
node=localhost type=AVC msg=audit(1701889217.374:123275): avc:  denied { use } for  pid=8735 comm="cockpit-bridge" path="socket:[66969]" dev="sockfs" ino=66969 scontext=staff_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:cockpit_ws_t:s0 tclass=fd permissive=1

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Dave Sugar
cb810219ba This works instead of allow exec on user_tmpfs_t! 
node=localhost type=AVC msg=audit(1702069242.629:385266): avc:  denied  { execute } for  pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Dave Sugar
7abf35393b This seems important for administrative access 
node=localhost type=AVC msg=audit(1701976221.478:269623): avc:  denied { read write } for  pid=11016 comm="sudo" path="socket:[138427]" dev="sockfs" ino=138427 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0 tclass=unix_stream_socket permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00
Dave Sugar
675144499f Signal during logout 
node=localhost type=AVC msg=audit(1701975071.847:229359): avc:  denied { signal } for  pid=10270 comm="cockpit-session" scontext=system_u:system_r:cockpit_session_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_ssh_agent_t:s0 tclass=process permissive=0

Signed-off-by: Dave Sugar <dsugar100@gmail.com>
 2024-01-26 21:05:28 -05:00