Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
aboutsummaryrefslogtreecommitdiff
path: root/policy
Commit message (Collapse)AuthorAgeFilesLines
* Update generated policy and doc filesHEAD2.20240226-r1masterKenton Groombridge2024-03-012-0/+21
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* libraries: drop space in empty lineChristian Göttsche2024-03-011-1/+1
| | | | | | | | | | Drop a line containing a single space from the file context file to avoid SELint stumble on it: libraries.mod.fc: 130: (E): Bad file context format (E-002) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* consolesetup: updateChristian Göttsche2024-03-011-0/+2
| | | | | | | AVC avc: denied { read } for pid=770 comm="mkdir" name="filesystems" dev="proc" ino=4026532069 scontext=system_u:system_r:consolesetup_t:s0 tcontext=system_u:object_r:proc_t:s0 tclass=file permissive=0 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: logind updateChristian Göttsche2024-03-011-0/+3
| | | | | | | | | | | | type=PROCTITLE msg=audit(21/02/24 23:31:52.659:83) : proctitle=/usr/lib/systemd/systemd-logind type=SYSCALL msg=audit(21/02/24 23:31:52.659:83) : arch=x86_64 syscall=recvmsg success=yes exit=24 a0=0xf a1=0x7ffdec4e7bc0 a2=MSG_DONTWAIT|MSG_CMSG_CLOEXEC a3=0x0 items=0 ppid=1 pid=909 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-logind exe=/usr/lib/systemd/systemd-logind subj=system_u:system_r:systemd_logind_t:s0 key=(null) type=AVC msg=audit(21/02/24 23:31:52.659:83) : avc: denied { use } for pid=909 comm=systemd-logind path=anon_inode:[pidfd] dev="anon_inodefs" ino=1051 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=1 p.s.: this might need an overhaul after pidfd handling in the kernel has been improved. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* udev: updateChristian Göttsche2024-03-012-0/+33
| | | | | | | AVC avc: denied { create } for pid=685 comm="ifquery" name="network" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: generator updatesChristian Göttsche2024-03-012-1/+22
| | | | | | | | | | | | | type=1400 audit(1708552475.580:3): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/etc/init.d/auditd" dev="vda1" ino=262124 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_initrc_exec_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:4): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/auditd.service" dev="vda1" ino=395421 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:auditd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:5): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/etc/init.d/vnstat" dev="vda1" ino=261247 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_initrc_exec_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:6): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/vnstat.service" dev="vda1" ino=394196 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:vnstatd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.580:7): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/dbus-broker.service" dev="vda1" ino=394383 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:dbusd_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.584:8): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/qemu-guest-agent.service" dev="vda1" ino=392981 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:qemu_unit_t:s0 tclass=file permissive=1 type=1400 audit(1708552475.584:9): avc: denied { getattr } for pid=528 comm="systemd-sysv-ge" path="/usr/lib/systemd/system/ssh.service" dev="vda1" ino=393521 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:sshd_unit_t:s0 tclass=file permissive=1 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* fs: add support for virtiofsChristian Göttsche2024-03-011-0/+11
| | | | | | | Adopted from https://github.com/fedora-selinux/selinux-policy/commit/5580e9a576f759820dbc3387961ce58a959221dc Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* vnstatd: updateChristian Göttsche2024-03-011-0/+1
| | | | | | | | | | | | type=PROCTITLE msg=audit(21/02/24 22:54:36.792:69) : proctitle=/usr/sbin/vnstatd -n type=PATH msg=audit(21/02/24 22:54:36.792:69) : item=0 name=/dev/urandom inode=18 dev=00:2b mode=character,666 ouid=root ogid=root rdev=01:09 obj=system_u:object_r:urandom_device_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:54:36.792:69) : cwd=/ type=SYSCALL msg=audit(21/02/24 22:54:36.792:69) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7f197cc66865 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=900 auid=unset uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { open } for pid=900 comm=vnstatd path=/dev/urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 type=AVC msg=audit(21/02/24 22:54:36.792:69) : avc: denied { read } for pid=900 comm=vnstatd name=urandom dev=tmpfs ino=18 scontext=system_u:system_r:vnstatd_t:s0 tcontext=system_u:object_r:urandom_device_t:s0 tclass=chr_file permissive=1 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: binfmt updatesChristian Göttsche2024-03-012-0/+43
| | | | | | | | | | | | | | | type=PROCTITLE msg=audit(21/02/24 22:54:36.708:53) : proctitle=/usr/lib/systemd/systemd-binfmt type=SYSCALL msg=audit(21/02/24 22:54:36.708:53) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x5 a1=0x7ffc547fbda0 a2=0x0 a3=0x0 items=0 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.708:53) : avc: denied { getattr } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=filesystem permissive=1 type=PROCTITLE msg=audit(21/02/24 22:54:36.708:54) : proctitle=/usr/lib/systemd/systemd-binfmt type=PATH msg=audit(21/02/24 22:54:36.708:54) : item=0 name=/proc/self/fd/4 inode=1 dev=00:27 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:binfmt_misc_fs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:54:36.708:54) : cwd=/ type=SYSCALL msg=audit(21/02/24 22:54:36.708:54) : arch=x86_64 syscall=access success=yes exit=0 a0=0x7ffc547fbdf0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=694 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-binfmt exe=/usr/lib/systemd/systemd-binfmt subj=system_u:system_r:systemd_binfmt_t:s0 key=(null) type=AVC msg=audit(21/02/24 22:54:36.708:54) : avc: denied { write } for pid=694 comm=systemd-binfmt name=/ dev=binfmt_misc ino=1 scontext=system_u:system_r:systemd_binfmt_t:s0 tcontext=system_u:object_r:binfmt_misc_fs_t:s0 tclass=dir permissive=1 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* fs: mark memory pressure type as fileChristian Göttsche2024-03-011-0/+1
| | | | | | | | Associate the type memory_pressure_t with the attribute file_type, so all attribute based rules apply, e.g. for unconfined_t. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* userdom: permit reading PSI as adminChristian Göttsche2024-03-011-0/+1
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* selinuxutil: ignore getattr proc in newroleChristian Göttsche2024-03-011-0/+1
| | | | | | | | | type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r sysadm_r type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64 syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0 items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc: denied { getattr } for pid=1001 comm=newrole name=/ dev=proc ino=1 scontext=root:staff_r:newrole_t:s0-s0:c0.c1023 tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* selinuxutil: setfiles updatesChristian Göttsche2024-03-012-0/+21
| | | | | | | | | | | | | | | | | | | | | | type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon -vRn -T0 / type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64 syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0 a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc: denied { getsched } for pid=13398 comm=restorecon scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process permissive=1 type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon -vRn -T0 / type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0 name=/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:31:55.040:123) : cwd=/root/workspace/selinux/refpolicy/refpolicy type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530 a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc: denied { getattr } for pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure dev="cgroup2" ino=2455 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1 type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon -vRFn -T0 /usr/ type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0 name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(21/02/24 22:32:15.512:126) : cwd=/root/workspace/selinux/refpolicy/refpolicy type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { open } for pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1 type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { read } for pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1 Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* virt: label qemu configuration directoryChristian Göttsche2024-03-011-0/+2
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* policy_capabilities: remove estimated from released versionsChristian Göttsche2024-03-011-1/+1
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Support multi-line interface callsChristian Göttsche2024-03-011-4/+9
| | | | | | | | | | | | | | | | | Support splitting the call of an interface over multiple lines, e.g. for interfaces with a long list as argument: term_control_unallocated_ttys(udev_t, { ioctl_kdgkbtype ioctl_kdgetmode ioctl_pio_unimap ioctl_pio_unimapclr ioctl_kdfontop ioctl_tcgets }) Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* fix misc typosChristian Göttsche2024-03-012-2/+2
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* access_vectors: define io_uring { cmd }Christian Göttsche2024-03-011-0/+1
| | | | | | | | Added in Linux 6.0. Link: https://github.com/SELinuxProject/selinux-kernel/commit/f4d653dcaa4e4056e1630423e6a8ece4869b544f Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* cloudinit: Add permissions derived from sysadm.Chris PeBenito2024-03-0115-26/+1216
| | | | | | | | Allow a similar amount of admin capability to cloud-init as sysadm. Also add a tunable to allow non-security file management for fallback. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: Updates for systemd-locale.Chris PeBenito2024-03-011-0/+5
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* cloud-init: Change udev rulesChris PeBenito2024-03-011-0/+1
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* cloud-init: Add systemd permissions.Chris PeBenito2024-03-012-4/+27
| | | | | | | Additional access for controlling systemd units and logind dbus chat. Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* cloud-init: Allow use of sudo in runcmd.Chris PeBenito2024-03-012-0/+33
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* chronyd: Read /dev/urandom.Chris PeBenito2024-03-011-0/+1
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* unconfined: Add remaining watch_* permissions.Chris PeBenito2024-03-014-29/+29
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* usermanage: Handle symlinks in /usr/share/cracklib.Chris PeBenito2024-03-012-0/+2
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* kdump: Fixes from testing kdumpctl.Chris PeBenito2024-03-011-0/+15
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* cloudinit: Add support for installing RPMs and setting passwords.Chris PeBenito2024-03-013-0/+35
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* files: Handle symlinks for /media and /srv.Chris PeBenito2024-03-011-1/+2
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* usermanage: Add sysctl access for groupadd to get number of groups.Chris PeBenito2024-03-011-0/+4
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* sysnetwork: ifconfig searches debugfs.Chris PeBenito2024-03-011-0/+1
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* selinuxutil: Semanage reads policy for export.Chris PeBenito2024-03-011-0/+1
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* init: Allow nnp/nosuid transitions from systemd initrc_t.Chris PeBenito2024-03-011-0/+2
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* rpm: Minor fixesChris PeBenito2024-03-011-1/+3
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: Minor coredump fixes.Chris PeBenito2024-03-012-7/+24
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* Container: Minor fixes from interactive container use.Chris PeBenito2024-03-013-1/+29
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* kernel: hv_utils shutdown on systemd systems.Chris PeBenito2024-03-011-0/+5
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: systemd-cgroups reads kernel.cap_last_cap sysctl.Chris PeBenito2024-03-011-0/+3
| | | | | Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* domain: Manage own fds.Chris PeBenito2024-03-011-3/+4
| | | | | Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* kubernetes: allow kubelet to apply fsGroup to persistent volumesKenton Groombridge2024-03-012-0/+23
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* container: allow spc to map kubernetes runtime filesKenton Groombridge2024-03-012-0/+19
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* crio: allow reading container home contentKenton Groombridge2024-03-012-2/+22
| | | | | | | CRI-O will read container registry configuration data from the running user's home (root) and will abort if unable to do so. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: allow systemd generator to list exportsKenton Groombridge2024-03-011-0/+1
| | | | | | This is needed now that /etc/exports.d is labeled appropriately. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* dbus: allow the system bus to get the status of generic unitsKenton Groombridge2024-03-011-0/+3
| | | | | | | | dbus-broker checks the status of systemd-logind. type=USER_AVC msg=audit(1705109503.237:123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=101 path="/usr/lib /systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?' Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* rpc: fix not labeling exports.d directoryKenton Groombridge2024-03-011-1/+1
| | | | | | Fix the filecon for /etc/exports.d to also label the directory itself. Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* bootloader, init, udev: misc minor fixesKenton Groombridge2024-03-013-2/+4
| | | | | | | | | | | | | | | | Resolve these AVCs seen during early boot with systemd 255: Jan 12 15:42:02 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092122.714:4): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0 Jan 12 15:42:03 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092123.656:7): avc: denied { setrlimit } for pid=2578 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:udev_t:s0 tclass=process permissive=0 Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.960:9): avc: denied { write } for pid=2629 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0 Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.961:10): avc: denied { write } for pid=2629 comm="sysctl" name="nlm_udpport" dev="proc" ino=31905 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0 Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.963:11): avc: denied { write } for pid=2632 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0 Jan 12 15:42:08 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092128.530:16): avc: denied { net_admin } for pid=3033 comm="bootctl" capability=12 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:bootloader_t:s0 tclass=capability permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* systemd: label systemd-tpm2-setup as systemd-pcrphaseKenton Groombridge2024-03-011-0/+1
| | | | Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* init: allow using system bus anon pidfsKenton Groombridge2024-03-011-0/+1
| | | | | | | | | | Seen with systemd 255. This initially did not seem to impact anything, but after a while I found that the kubernetes kubelet agent would not start without this access. type=AVC msg=audit(1705092131.239:37): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* kernel: allow managing mouse devicesKenton Groombridge2024-03-012-0/+21
| | | | | | | | | | Seen with systemd 255. type=AVC msg=audit(1705092132.309:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/input/mouse0" dev="devtmpfs" ino=328 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1705108275.269:52): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0 type=AVC msg=audit(1705108275.269:53): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* zfs: allow zfs to write to exportsKenton Groombridge2024-03-012-0/+21
| | | | | | | | | | Needed by zfs-mount.service. type=PROCTITLE msg=audit(1705092131.987:49): proctitle=2F7362696E2F7A6673007368617265002D61 type=SYSCALL msg=audit(1705092131.987:49): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=665f44189eba a2=80042 a3=180 items=0 ppid=1 pid=3082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zfs" exe="/usr/bin/zfs" subj=system_u:system_r:zfs_t:s0 key=(null) type=AVC msg=audit(1705092131.987:49): avc: denied { write } for pid=3082 comm="zfs" name="zfs.exports.lock" dev="dm-0" ino=1296 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:exports_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <concord@gentoo.org>