nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ceec13419f
selinux-refpolicy/policy
History
Dave Sugar ceec13419f Fix problems booting with fips=1 
Seeing the following problem when booting in enforcing with FIPS mode enabled.
Request for unknown module key 'CentOS Linux kernel signing key: c757a9fbbd0d82c9e54052029a0908d17cf1adc7' err -13
Then seeing the system halt

Fixing the following denials:
[    4.492635] type=1400 audit(1523666552.903:4): avc:  denied  { search } for  pid=894 comm="systemd-journal" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.496621] type=1400 audit(1523666552.907:5): avc:  denied  { read } for  pid=894 comm="systemd-journal" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.499741] type=1400 audit(1523666552.910:6): avc:  denied  { open } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    4.502969] type=1400 audit(1523666552.914:7): avc:  denied  { getattr } for  pid=894 comm="systemd-journal" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

[    4.950021] type=1400 audit(1523666553.360:8): avc:  denied  { search } for  pid=952 comm="systemctl" name="crypto" dev="proc" ino=6124 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
[    4.986551] type=1400 audit(1523666553.397:9): avc:  denied  { read } for  pid=952 comm="systemctl" name="fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
[    5.028737] type=1400 audit(1523666553.439:10): avc:  denied  { open } for  pid=952 comm="systemctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=6125 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file

type=1400 audit(1512501270.176:3): avc:  denied  { search } for  pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=key

Signed-off-by: Dave Sugar <dsugar@tresys.com>
2018-04-17 20:14:50 -04:00
..
flask add definition of bpf class and systemd perms 2018-03-21 14:16:52 -04:00
modules Fix problems booting with fips=1 2018-04-17 20:14:50 -04:00
support refpolicy: Update for kernel sctp support 2018-03-21 14:14:37 -04:00
constraints refpolicy: Update for kernel sctp support 2018-03-21 14:14:37 -04:00
context_defaults Fix error in default_user example. 2014-04-28 10:19:22 -04:00
global_booleans Move secure_mode_policyload into selinux module as that is the only place it is used. 2011-09-26 09:53:23 -04:00
global_tunables user_udp_server tunable 2016-08-02 19:44:16 -04:00
mcs refpolicy: Update for kernel sctp support 2018-03-21 14:14:37 -04:00
mls refpolicy: Update for kernel sctp support 2018-03-21 14:14:37 -04:00
policy_capabilities Enable cgroup_seclabel and nnp_nosuid_transition. 2018-01-16 18:52:39 -05:00
users Apply direct_initrc to unconfined_r:unconfined_t 2014-01-16 15:27:18 -05:00