Tags: MartinNowak/selinux-policy
Tags
Allow userdomain get attributes of files on an nsfs filesystem
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(22.2.2024 23:42:03.003:742) : proctitle=pstree
type=PATH msg=audit(22.2.2024 23:42:03.003:742) : item=0 name=/proc/4139/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(22.2.2024 23:42:03.003:742) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7ffc200aed00 a2=0x7ffc200aed40 a3=0x0 items=1 ppid=7788 pid=55219 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts13 ses=7 comm=pstree exe=/usr/bin/pstree subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(22.2.2024 23:42:03.003:742) : avc: denied { getattr } for pid=55219 comm=pstree path=cgroup:[4026531835] dev="nsfs" ino=4026531835 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
Allow userdomain get attributes of files on an nsfs filesystem
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(22.2.2024 23:42:03.003:742) : proctitle=pstree
type=PATH msg=audit(22.2.2024 23:42:03.003:742) : item=0 name=/proc/4139/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(22.2.2024 23:42:03.003:742) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7ffc200aed00 a2=0x7ffc200aed40 a3=0x0 items=1 ppid=7788 pid=55219 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts13 ses=7 comm=pstree exe=/usr/bin/pstree subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(22.2.2024 23:42:03.003:742) : avc: denied { getattr } for pid=55219 comm=pstree path=cgroup:[4026531835] dev="nsfs" ino=4026531835 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
Allow userdomain get attributes of files on an nsfs filesystem
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(22.2.2024 23:42:03.003:742) : proctitle=pstree
type=PATH msg=audit(22.2.2024 23:42:03.003:742) : item=0 name=/proc/4139/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(22.2.2024 23:42:03.003:742) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7ffc200aed00 a2=0x7ffc200aed40 a3=0x0 items=1 ppid=7788 pid=55219 auid=username uid=username gid=username euid=username suid=username fsuid=username egid=username sgid=username fsgid=username tty=pts13 ses=7 comm=pstree exe=/usr/bin/pstree subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(22.2.2024 23:42:03.003:742) : avc: denied { getattr } for pid=55219 comm=pstree path=cgroup:[4026531835] dev="nsfs" ino=4026531835 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
Only allow confined user domains to login locally without unconfined_… …login Before, local_login_t could transition to all userdomain types, including unconfined_t, regardless of the unconfined_login boolean state. This patch allows this unconditional access only to confined user domains. Transition to unconfined_t is already handled elsewhere. Resolves: RHEL-1628
Rename all /var/lock file context entries to /run/lock The "/run/lock = /var/lock" equivalency needs to be inverted together with the "/run = /var/run" equivalency inversion and all existing file context specifications entries in selinux-policy sources based on the /var/lock path need to change to /run/lock.
Allow collectd read raw fixed disk device
Required by the collectd-smart plugin.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(11/22/2023 14:01:33.902:296) : proctitle=/usr/sbin/collectd
type=PATH msg=audit(11/22/2023 14:01:33.902:296) : item=0 name=/dev/nvme1n1 inode=511 dev=00:05 mode=block,660 ouid=root ogid=disk rdev=103:03 obj=system_u:object_r:fixed_disk_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(11/22/2023 14:01:33.902:296) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f727c0137d0 a2=O_RDWR a3=0x0 items=1 ppid=1 pid=1598 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=reader#4 exe=/usr/sbin/collectd subj=system_u:system_r:collectd_t:s0 key=(null)
type=AVC msg=audit(11/22/2023 14:01:33.902:296) : avc: denied { read write } for pid=1598 comm=reader#4 name=nvme1n1 dev="devtmpfs" ino=511 scontext=system_u:system_r:collectd_t:s0 tcontext=system_u:object_r:fixed_disk_device_t:s0 tclass=blk_file permissive=0
Resolves: rhbz#2249257
Allow chronyd-restricted read chronyd key files
The commit addresses the following AVC denial:
type=AVC msg=audit(1706021857.079:1326): avc: denied { read } for pid=25023 comm="chronyd" name="chrony.keys" dev="xvda4" ino=17299976 scontext=system_u:system_r:chronyd_restricted_t:s0 tcontext=system_u:object_r:chronyd_keys_t:s0 tclass=file permissive=0
Resolves: RHEL-18219
Allow systemd-sleep set attributes of efivarfs files
The commit addresses the following AVC denial:
type=AVC msg=audit(1703311625.363:336): avc: denied { setattr } for pid=3817 comm="systemd-sleep" path="/sys/firmware/efi/efivars/HibernateLocation-8cf2644b-4b0b-428f-9387-6d876050dc67" dev="efivarfs" ino=510 scontext=system_u:system_r:systemd_sleep_t:s0 tcontext=system_u:object_r:efivarfs_t:s0 tclass=file permissive=0
Resolves: rhbz#2255693
PreviousNext