eba35802cc
I think this should be self-explanatory. I've added an audit trace for the
sys_ptrace access that was previously rejected.
Here is the audit log for sys_ptrace:
type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc: denied { sys_ptrace } for pid=12750 comm=systemctl capability=sys_ptrace scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
63 lines
1.6 KiB
Plaintext
63 lines
1.6 KiB
Plaintext
policy_module(irqbalance, 1.10.2)
|
|
|
|
########################################
|
|
#
|
|
# Declarations
|
|
#
|
|
|
|
type irqbalance_t;
|
|
type irqbalance_exec_t;
|
|
init_daemon_domain(irqbalance_t, irqbalance_exec_t)
|
|
|
|
type irqbalance_initrc_exec_t;
|
|
init_script_file(irqbalance_initrc_exec_t)
|
|
|
|
type irqbalance_pid_t;
|
|
typealias irqbalance_pid_t alias irqbalance_var_run_t;
|
|
files_pid_file(irqbalance_pid_t)
|
|
|
|
type irqbalance_unit_t;
|
|
init_unit_file(irqbalance_unit_t)
|
|
|
|
########################################
|
|
#
|
|
# Local policy
|
|
#
|
|
|
|
allow irqbalance_t self:capability { setpcap };
|
|
dontaudit irqbalance_t self:capability sys_tty_config;
|
|
allow irqbalance_t self:process { getcap getsched setcap signal_perms };
|
|
allow irqbalance_t self:udp_socket create_socket_perms;
|
|
allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
|
|
|
|
manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
|
|
manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
|
|
files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file })
|
|
|
|
kernel_read_network_state(irqbalance_t)
|
|
kernel_read_system_state(irqbalance_t)
|
|
kernel_read_kernel_sysctls(irqbalance_t)
|
|
kernel_rw_irq_sysctls(irqbalance_t)
|
|
|
|
dev_read_sysfs(irqbalance_t)
|
|
|
|
files_read_etc_files(irqbalance_t)
|
|
files_read_etc_runtime_files(irqbalance_t)
|
|
|
|
fs_getattr_all_fs(irqbalance_t)
|
|
fs_search_auto_mountpoints(irqbalance_t)
|
|
fs_search_tmpfs(irqbalance_t)
|
|
|
|
domain_use_interactive_fds(irqbalance_t)
|
|
|
|
logging_send_syslog_msg(irqbalance_t)
|
|
|
|
miscfiles_read_localization(irqbalance_t)
|
|
|
|
userdom_dontaudit_use_unpriv_user_fds(irqbalance_t)
|
|
userdom_dontaudit_search_user_home_dirs(irqbalance_t)
|
|
|
|
optional_policy(`
|
|
udev_read_db(irqbalance_t)
|
|
')
|