nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
7,107 Commits 1 Branch 0 Tags 16 MiB
fa84ee8fc0
Commit Graph

7107 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris PeBenito
fa84ee8fc0 Update Changelog and VERSION for release 2.20240226. 
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
 2024-02-26 13:38:45 -05:00
Chris PeBenito
d48b57a5bd
Merge pull request #763 from cgzones/dnl_space 
libraries: drop space in empty line
 2024-02-23 13:18:44 -05:00
Chris PeBenito
806f3e31e1
Merge pull request #759 from cgzones/deb 
Minimal Debian system updates
 2024-02-23 13:17:40 -05:00
Christian Göttsche
8f9be7c635 libraries: drop space in empty line 
Drop a line containing a single space from the file context file to
avoid SELint stumble on it:

    libraries.mod.fc:   130: (E): Bad file context format (E-002)

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 18:04:11 +01:00
Christian Göttsche
b8ad74030f consolesetup: update 
AVC avc:  denied  { read } for  pid=770 comm="mkdir" name="filesystems" dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
859f90be12 systemd: logind update 
type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) : proctitle=/usr/lib/systemd/systemd-logind
    type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64 syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc:  denied  { use } for  pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1

p.s.: this might need an overhaul after pidfd handling in the kernel has
been improved.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
06927582c8 udev: update 
AVC avc:  denied  { create } for  pid=685 comm="ifquery" name="network" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
395f5cb588 systemd: generator updates 
type=1400 audit(1708552475.580:3): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/etc/init.d/auditd" dev="vda1" ino=262124 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_initrc_exec_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:4): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/auditd.service" dev="vda1" ino=395421 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:5): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/etc/init.d/vnstat" dev="vda1" ino=261247 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_initrc_exec_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:6): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/vnstat.service" dev="vda1" ino=394196 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.580:7): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/dbus-broker.service" dev="vda1" ino=394383 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:dbusd_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.584:8): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/qemu-guest-agent.service" dev="vda1" ino=392981 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:qemu_unit_t:s0 tclass=file permissive=1
    type=1400 audit(1708552475.584:9): avc:  denied  { getattr } for  pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/ssh.service" dev="vda1" ino=393521 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:sshd_unit_t:s0 tclass=file permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
206bdcb6d3 fs: add support for virtiofs 
Adopted from 5580e9a576

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
1816085864 vnstatd: update 
type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) : proctitle=/usr/sbin/vnstatd -n
    type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/
    type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc:  denied  { open } for  pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1
    type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc:  denied  { read } for  pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
fa7004426f systemd: binfmt updates 
type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : proctitle=/usr/lib/systemd/systemd-binfmt
    type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc:  denied  { getattr } for  pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1

    type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : proctitle=/usr/lib/systemd/systemd-binfmt
    type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/
    type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null)
    type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc:  denied  { write } for  pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
6992e200ac fs: mark memory pressure type as file 
Associate the type memory_pressure_t with the attribute file_type, so
all attribute based rules apply, e.g. for unconfined_t.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
088bf3ab5d userdom: permit reading PSI as admin 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
7879c6a0db selinuxutil: ignore getattr proc in newrole 
type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r sysadm_r
    type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0 items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc:  denied  { getattr } for  pid=1001 comm=newrole name=/ dev=proc ino=1 scontext=root:staff_r:newrole_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:55:29 +01:00
Christian Göttsche
ef0f55827d selinuxutil: setfiles updates 
type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon -vRn -T0 /
    type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64 syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0 a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc:  denied  { getsched } for  pid=13398 comm=restorecon scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process permissive=1

    type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon -vRn -T0 /
    type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0 name=/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:31:55.040:123) : cwd=/root/workspace/selinux/refpolicy/refpolicy
    type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530 a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc:  denied  { getattr } for  pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure dev="cgroup2" ino=2455 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1

    type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon -vRFn -T0 /usr/
    type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0 name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(21/02/24 22:32:15.512:126) : cwd=/root/workspace/selinux/refpolicy/refpolicy
    type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
    type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc:  denied  { open } for  pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1
    type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc:  denied  { read } for  pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:16:44 +01:00
Christian Göttsche
441d71d7ae virt: label qemu configuration directory 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-23 17:16:44 +01:00
Chris PeBenito
0f77ba352d
Merge pull request #757 from pebenito/misc-fixes 
Misc fixes
 2024-02-23 09:49:56 -05:00
Chris PeBenito
9be10bc695
Merge pull request #758 from cgzones/dev 
Misc build system and tooling updates
 2024-02-22 14:42:51 -05:00
Christian Göttsche
f9595d30ff Makefile: set PYTHONPATH for test toolchain 
In case of a non-default toolchain also set the environment variable
PTYHONPATH to run sepolgen related python code from that toolchain.
See scripts/env_use_destdir in the SELinux userland repository.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 20:21:35 +01:00
Christian Göttsche
426cbc3dac Makefile: use sepolgen-ifgen-attr-helper from test toolchain 
When building with a non default toolchain by setting the environment
variable TEST_TOOLCHAIN also use the sepolgen-ifgen helper binary
sepolgen-ifgen-attr-helper from this toolchain.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:41:37 +01:00
Christian Göttsche
82eca136e6 Rules.modular: use temporary file to not ignore error 
Save the result of the m4 command into a temporary file and split the
commands, to avoid ignoring failures of the first command.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:41:37 +01:00
Christian Göttsche
752ebc167b Rules.monolithic: pre-compile fcontexts on install 
On install pre-compile the file contexts.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:41:37 +01:00
Christian Göttsche
d008f97a4d policy_capabilities: remove estimated from released versions 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:28:11 +01:00
Christian Göttsche
ec28725235 Support multi-line interface calls 
Support splitting the call of an interface over multiple lines, e.g. for
interfaces with a long list as argument:

    term_control_unallocated_ttys(udev_t, {
	    ioctl_kdgkbtype
	    ioctl_kdgetmode
	    ioctl_pio_unimap
	    ioctl_pio_unimapclr
	    ioctl_kdfontop
	    ioctl_tcgets
    })

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:27:36 +01:00
Christian Göttsche
bdd5036d7a fix misc typos 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:24:25 +01:00
Christian Göttsche
c781fb74c9 support/genhomedircon: support usr prefixed paths 
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:12:56 +01:00
Christian Göttsche
b215f46531 access_vectors: define io_uring { cmd } 
Added in Linux 6.0.

Link: f4d653dcaa
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
 2024-02-22 17:12:36 +01:00
Chris PeBenito
0c41682fc4 cloudinit: Add permissions derived from sysadm. 
Allow a similar amount of admin capability to cloud-init as sysadm.  Also add
a tunable to allow non-security file management for fallback.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-22 09:13:38 -05:00
Chris PeBenito
65dfbda501 systemd: Updates for systemd-locale. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
34afd8343c cloud-init: Change udev rules 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
758f819529 cloud-init: Add systemd permissions. 
Additional access for controlling systemd units and logind dbus chat.

Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
7213dcf3a7 cloud-init: Allow use of sudo in runcmd. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
2e981f1790 chronyd: Read /dev/urandom. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
2e3cb74315 unconfined: Add remaining watch_* permissions. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
92587eddb3 usermanage: Handle symlinks in /usr/share/cracklib. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
0b77fe85c6 kdump: Fixes from testing kdumpctl. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
14b555b02b cloudinit: Add support for installing RPMs and setting passwords. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
e5dc0d6a36 files: Handle symlinks for /media and /srv. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
5df7c1e4b6 usermanage: Add sysctl access for groupadd to get number of groups. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
4d57ab1efb sysnetwork: ifconfig searches debugfs. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
df179e7f85 selinuxutil: Semanage reads policy for export. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
13574c3d4d init: Allow nnp/nosuid transitions from systemd initrc_t. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
45f5a5a8e0 rpm: Minor fixes 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
59136d8a7c systemd: Minor coredump fixes. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
21d7f4415e Container: Minor fixes from interactive container use. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
86bea43c43 kernel: hv_utils shutdown on systemd systems. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
d1ec6f1b9f systemd: systemd-cgroups reads kernel.cap_last_cap sysctl. 
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
56e33b7e42 domain: Manage own fds. 
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
 2024-02-21 16:45:39 -05:00
Chris PeBenito
612a569b5d
Merge pull request #755 from 0xC0ncord/various-20230112 
Various fixes
 2024-02-21 15:47:20 -05:00
Kenton Groombridge
1c534f04b5 kubernetes: allow kubelet to apply fsGroup to persistent volumes 
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
 2024-02-21 15:33:39 -05:00