Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
...
* sudo: allow systemd-logind to read cgroup state of sudoKenton Groombridge2024-09-211-0/+2
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* postfix: allow smtpd to mmap SASL keytab filesKenton Groombridge2024-09-212-1/+20
| | | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* sysnetwork: allow ifconfig to read usr filesKenton Groombridge2024-09-211-0/+1
| | | | | | | | | ip wants to read files in /usr/share/iproute2. type=AVC msg=audit(1715785441.968:297208): avc: denied { read } for pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: allow systemd-logind to use sshd pidfdsKenton Groombridge2024-09-211-0/+6
| | | | | | | | | This is to avoid a long timeout in pam_systemd when logging on. This is the second half of the fix described in ddc6ac493cef7bb64c3d1904b2c660f61b931f59. Signed-off-by: Kenton Groombridge <concord@gentoo.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* tests.yml: Add policy diff on PRs.Chris PeBenito2024-09-212-0/+129
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* tests.yml: Divide into reusable workflows.Chris PeBenito2024-09-217-232/+490
| | | | | | | Keep artifacts from each to allow analysis when there are failures. Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Reorder perms and classesfreedom1b28302024-09-21220-759/+759
| | | | | Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* devices: Change dev_rw_uhid() to use a policy pattern.Chris PeBenito2024-09-211-2/+2
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* device: Move dev_rw_uhid definition.Chris PeBenito2024-09-211-18/+19
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Sepolicy changes for bluez to access uhidAmisha Jain2024-09-212-0/+19
| | | | | | | | | | | Resolve selinux premission for HID Below avc denials that are fixed with this patch - avc: denied { read write } for pid=656 comm="bluetoothd" name="uhid" dev="devtmpfs" ino=841 scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tcontext=system_u:object_r:uhid_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Amisha Jain <quic_amisjain@quicinc.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* selinuxutil: make policykit optionalYi Zhao2024-09-211-2/+4
| | | | | | | Make policykit optional to avoid a potential build error. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* newrole: allow newrole to search faillock runtime directoryYi Zhao2024-09-212-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow newrole to search the /run/faillock directory, otherwise the faillock mechanism will not work for neworle. Before the patch (pam faillock deny=3): root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root After the patch (pam faillock deny=3): root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r Password: newrole: incorrect password for root root@intel-x86-64:~# newrole -r sysadm_r The account is locked due to 3 failed logins. (1 minute left to unlock) Password: Fixes: avc: denied { search } for pid=508 comm="newrole" name="faillock" dev="tmpfs" ino=582 scontext=root:sysadm_r:newrole_t:s0-s15:c0.c1023 tcontext=system_u:object_r:faillog_t:s0 tclass=dir permissive=0 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* sysnetwork: fixes for dhcpcdYi Zhao2024-09-211-0/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Allow dhcpcd to create netlink socket and read files under /run/udev/. Fixes: avc: denied { search } for pid=393 comm="dhcpcd" name="udev" dev="tmpfs" ino=49 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=dir permissive=1 avc: denied { create } for pid=393 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=1 avc: denied { getopt } for pid=393 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=1 avc: denied { setopt } for pid=393 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=1 avc: denied { bind } for pid=393 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=1 avc: denied { getattr } for pid=393 comm="dhcpcd" scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tclass=netlink_kobject_uevent_socket permissive=1 avc: denied { read } for pid=393 comm="dhcpcd" name="n1" dev="tmpfs" ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1 avc: denied { open } for pid=393 comm="dhcpcd" path="/run/udev/data/n1" dev="tmpfs" ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1 avc: denied { getattr } for pid=393 comm="dhcpcd" path="/run/udev/data/n1" dev="tmpfs" ino=222 scontext=system_u:system_r:dhcpc_t:s0-s15:c0.c1023 tcontext=system_u:object_r:udev_runtime_t:s0 tclass=file permissive=1 Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Adding Sepolicy rules to allow bluetoothctl and dbus-daemon to access unix ↵Naga Bhavani Akella2024-09-214-3/+27
| | | | | | | | | | | | | | | | | | | | | | | | | | stream sockets. Required for using acquire-notify, acquire-write options (Gatt Client) and Sending notifications (Gatt Server) Below are the avc denials that are fixed with this patch - 1. audit: type=1400 audit(315966559.395:444): avc: denied { use } for pid=710 comm="dbus-daemon" path="socket:[13196]" dev="sockfs" ino=13196 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=fd permissive=0 2. audit: type=1400 audit(315999854.939:523): avc: denied { read write } for pid=812 comm="dbus-daemon" path="socket:[99469]" dev="sockfs" ino=99469 scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023 tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1 Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com> Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* init: Add homectl dbus access.Chris PeBenito2024-09-212-0/+25
| | | | | | | homectl is used in the systemd-homed-activate.service ExecStop. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* filesystem/systemd: memory.pressure fixes.Chris PeBenito2024-09-213-2/+6
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* cloudinit: Add support for cloud-init-growpart.Chris PeBenito2024-09-211-0/+9
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* systemd: Add basic systemd-analyze rules.Chris PeBenito2024-09-211-0/+23
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* remove unnecessary code2.20240226-r2Grzegorz Filo2024-05-142-6/+0
| | | | | | Signed-off-by: Grzegorz Filo <gf578@wp.pl> Closes: https://github.com/gentoo/hardened-refpolicy/pull/2 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Merge upstreamKenton Groombridge2024-05-141-1/+1
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* various: various fixesKenton Groombridge2024-05-146-1/+28
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* container, crio, kubernetes: minor fixesKenton Groombridge2024-05-143-0/+5
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* container, podman: various fixesKenton Groombridge2024-05-143-2/+70
| | | | | | | | | | | | | | | | Various fixes for containers and podman, mostly centered around quadlet and netavark updates. One particular change which may stand out is allowing podman_conmon_t to IOCTL container_file_t files. I wish I could know why this was hit, but I don't. The relevant AVC is: type=PROCTITLE msg=audit(1704734027.100:15951872): proctitle=2F7573722F6C6962657865632F706F646D616E2F636F6E6D6F6E002D2D6170692D76657273696F6E0031002D630038316432646439333738336637626231346134326463396635333163663533323864653337633838663330383466316634613036616464366163393035666337002D75003831643264643933373833663762 type=EXECVE msg=audit(1704734027.100:15951872): argc=93 a0="/usr/libexec/podman/conmon" a1="--api-version" a2="1" a3="-c" a4="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a5="-u" a6="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" a7="-r" a8="/usr/bin/crun" a9="-b" a10="/var/lib/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata" a11="-p" a12="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/pidfile" a13="-n" a14="harbor-core-pod-core" a15="--exit-dir" a16="/run/libpod/exits" a17="--full-attach" a18="-s" a19="-l" a20="journald" a21="--log-level" a22="warning" a23="--syslog" a24="--runtime-arg" a25="--log-format=json" a26="--runtime-arg" a27="--log" a28="--runtime-arg=/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/oci-log" a29="--conmon-pidfile" a30="/run/containers/storage/overlay-containers/81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7/userdata/conmon.pid" a31="--exit-command" a32="/usr/bin/podman" a33="--exit-command-arg" a34="--root" a35="--exit-command-arg" a36="/var/lib/containers/storage" a37="--exit-command-arg" a38="--runroot" a39="--exit-command-arg" a40="/run/containers/storage" a41="--exit-command-arg" a42="--log-level" a43="--exit-command-arg" a44="warning" a45="--exit-command-arg" a46="--cgroup-manager" a47="--exit-command-arg" a48="systemd" a49="--exit-command-arg" a50="--tmpdir" a51="--exit-command-arg" a52="/run/libpod" a53="--exit-command-arg" a54="--network-config-dir" a55="--exit-command-arg" a56="" a57="--exit-command-arg" a58="--network-backend" a59="--exit-command-arg" a60="netavark" a61="--exit-command-arg" a62="--volumepath" a63="--exit-command-arg" a64="/var/lib/containers/storage/volumes" a65="--exit-command-arg" a66="--db-backend" a67="--exit-command-arg" a68="sqlite" a69="--exit-command-arg" a70="--transient-store=false" a71="--exit-command-arg" a72="--runtime" a73="--exit-command-arg" a74="crun" a75="--exit-command-arg" a76="--storage-driver" a77="--exit-command-arg" a78="overlay" a79="--exit-command-arg" a80="--storage-opt" a81="--exit-command-arg" a82="overlay.mountopt=nodev" a83="--exit-command-arg" a84="--events-backend" a85="--exit-command-arg" a86="journald" a87="--exit-command-arg" a88="container" a89="--exit-command-arg" a90="cleanup" a91="--exit-command-arg" a92="81d2dd93783f7bb14a42dc9f531cf5328de37c88f3084f1f4a06add6ac905fc7" type=SYSCALL msg=audit(1704734027.100:15951872): arch=c000003e syscall=59 success=yes exit=0 a0=c000698020 a1=c0005ea600 a2=c000820d20 a3=0 items=0 ppid=3434178 pid=3434219 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="conmon" exe="/usr/bin/conmon" subj=system_u:system_r:podman_conmon_t:s0 key=(null) type=AVC msg=audit(1704734027.100:15951872): avc: denied { ioctl } for pid=3434219 comm="conmon" path="/var/lib/containers/storage/volumes/harbor-core/_data/key" dev="dm-0" ino=50845175 scontext=system_u:system_r:podman_conmon_t:s0 tcontext=system_u:object_r:container_file_t:s0 tclass=file permissive=1 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: allow systemd-sysctl to search tmpfsKenton Groombridge2024-05-141-0/+1
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* container: allow containers to getcapKenton Groombridge2024-05-141-1/+1
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* container: allow system container engines to mmap runtime filesKenton Groombridge2024-05-141-1/+1
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* matrixd: add tunable for binding to all unreserved portsKenton Groombridge2024-05-141-1/+15
| | | | | | | | This is to support using Synapse workers which require binding to multiple TCP ports in lieu of manually labeling unreserved ports for use. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* bootloader: allow systemd-boot to manage EFI binariesKenton Groombridge2024-05-142-0/+23
| | | | | | | | systemd-boot's bootctl utility is used to install and update its EFI binaries in the EFI partition. If it is mounted with boot_t, bootctl needs to be able to manage boot_t files. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* asterisk: allow binding to all unreserved UDP portsKenton Groombridge2024-05-141-0/+1
| | | | | | This is for RTP streaming. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* postgres: add a standalone execmem tunableKenton Groombridge2024-05-141-1/+8
| | | | | | | | Add a separate tunable to allow Postgres to use execmem. This is to support JIT in the Postgres server without enabling it for the entire system. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* userdom: allow users to read user home dir symlinksKenton Groombridge2024-05-141-0/+3
| | | | | | | This is to support user home directories primarily living in another directory with a symlink in /home that points to it. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* dovecot: allow dovecot-auth to read SASL keytabKenton Groombridge2024-05-141-0/+4
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* fail2ban: allow reading net sysctlsKenton Groombridge2024-05-141-0/+1
| | | | | | type=AVC msg=audit(1696613589.191:194926): avc: denied { search } for pid=1724 comm="f2b/f.dovecot" name="net" dev="proc" ino=2813 scontext=system_u:system_r:fail2ban_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* init: allow systemd to use sshd pidfdsKenton Groombridge2024-05-142-0/+23
| | | | | | | | | | | Without this, a lengthy 2 minute delay can be observed SSHing into a system while pam_systemd tries to create a login session. May 06 14:22:08 megumin.fuwafuwatime.moe sshd[29384]: pam_systemd(sshd:session): Failed to create session: Connection timed out type=AVC msg=audit(1715019897.540:13855): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:sshd_t:s0 tclass=fd permissive=1 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* files context for merged-usr profile on gentooGrzegorz Filo2024-05-146-0/+24
| | | | | Signed-off-by: Grzegorz Filo <gf578@wp.pl> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Need map perm for cockpit 300.4Dave Sugar2024-05-141-1/+1
| | | | | | | node=localhost type=AVC msg=audit(1714870999.370:3558): avc: denied { map } for pid=7081 comm="cockpit-bridge" path=2F6465762F23373933202864656C6574656429 dev="devtmpfs" ino=793 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=staff_u:object_r:staff_cockpit_tmpfs_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* tests.yml: Add sechecker testing.Chris PeBenito2024-05-143-12/+480
| | | | | | | Add initial privilege and integrity tests. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* cockpit: Change $1_cockpit_tmpfs_t to a tmpfs file type.Chris PeBenito2024-05-141-1/+1
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* certbot: Drop execmem.Chris PeBenito2024-05-141-4/+0
| | | | | | | | This is related to FFI use in python3-openssl. Libffi now changes behavior when it detects SELinux, to avoid this type of denial. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* xen: Drop xend/xm stack.Chris PeBenito2024-05-1414-408/+54
| | | | | | | | | Xend/xm was replaced with xl in Xen 4.5 (Jan 2015). https://xenproject.org/2015/01/15/less-is-more-in-the-new-xen-project-4-5-release/ Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Allow systemd to pass down sig maskMatt Sheets2024-05-141-0/+1
| | | | | | | | | IgnoreSIGPIPE is a feature that requires systemd to passdown the signal mask down to the fork process. To allow this the siginh permission must be allowed for all process domains that can be forked by systemd. Signed-off-by: Matt Sheets <masheets@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* cups: Remove PTAL.Chris PeBenito2024-05-144-109/+7
| | | | | | | This is part of the HPOJ, which was superseded by HPLIP in 2006. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* xen: Revoke kernel module loading permissions.Chris PeBenito2024-05-141-1/+0
| | | | | | | | This domain also calls kernel_request_load_module(), which should be sufficient. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* minissdpd: Revoke kernel module loading permissions.Chris PeBenito2024-05-141-2/+1
| | | | | | | | This domain also calls kernel_request_load_module(), which should be sufficent. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* docker: Fix dockerc typo in container_engine_executable_fileChris PeBenito2024-05-141-1/+1
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* cron: Use raw entrypoint rule for system_cronjob_t.Chris PeBenito2024-05-141-1/+1
| | | | | | | | By using domain_entry_file() to provide the entrypoint permission, it makes the spool file an executable, with unexpected access. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* uml: Remove excessive access from user domains on uml_exec_t.Chris PeBenito2024-05-141-2/+2
| | | | | | | The user domains were allowed to modify uml_exec_t files. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Set the type on /etc/machine-info to net_conf_t so hostnamectl can ↵Rick Alther2024-05-141-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | manipulate it (CRUD) When attempting to set the PRETTY_HOSTNAME (e.g. hostnamectl --pretty hostname "My Pretty Host") you will receive these denials in the audit log: `node=localhost type=AVC msg=audit(1713748477.775:17769): avc: denied { create } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1713748477.775:17769): avc: denied { write } for pid=3012 comm="systemd-hostnam" path="/etc/.#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 node=localhost type=PATH msg=audit(1713748477.775:17769): item=1 name="/etc/.#machine-infocuJGLW" inode=1180584 dev=fd:01 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" node=localhost type=AVC msg=audit(1713748477.775:17770): avc: denied { setattr } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1713748477.776:17771): avc: denied { rename } for pid=3012 comm="systemd-hostnam" name=".#machine-infocuJGLW" dev="dm-1" ino=1180584 scontext=system_u:system_r:systemd_hostnamed_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=1 node=localhost type=PATH msg=audit(1713748477.776:17771): item=2 name="/etc/.#machine-infocuJGLW" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" node=localhost type=PATH msg=audit(1713748477.776:17771): item=3 name="/etc/machine-info" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root" node=localhost type=PATH msg=audit(1713748497.093:17897): item=0 name="/etc/machine-info" inode=1180584 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root` This is on a Rocky 9 system where the default type is etc_t. Setting the type to net_conf_t allows the command to succeed without error. Signed-off-by: Rick Alther <alther@acm.org> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* fix: minor correction in MCS_CATS range commentRick Alther2024-05-141-1/+1
| | | | | Signed-off-by: Rick Alther <alther@acm.org> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: allow notify client to stat socketChristian Göttsche2024-05-141-1/+1
| | | | | | | | | Caused by the latest openssh version in Debian sid: AVC avc: denied { getattr } for pid=13544 comm="sshd" path="/run/systemd/notify" dev="tmpfs" ino=286 scontext=system_u:system_r:sshd_t:s0 tcontext=system_u:object_r:systemd_runtime_notify_t:s0 tclass=sock_file permissive=0 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>