Various fixes #741
Merged
Various fixes #741
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
If gluster ever experiences data corruption on its underlying bricks, a situation may arise where the corrupted files have bad or missing xattrs and are therefore presented as unlabeled to SELinux. Gluster will then be unable to repair these files until the access is allowed or the user manually relabels these files. Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
pebenito
requested changes
Jan 2, 2024
0xC0ncord
force-pushed
the
various-20231217
branch
from
4254d3b to
e9654bf
Compare
pebenito
reviewed
Jan 9, 2024
policy/modules/kernel/kernel.te
Outdated
| @@ -390,10 +390,14 @@ ifdef(`init_systemd',` | |||
| ') | |||
|
|
|||
| optional_policy(` | |||
| dev_getattr_generic_usb_dev(kernel_t) | |||
There was a problem hiding this comment.
The getattr is also provided by dev_delete_generic_usb_dev(kernel_t); see delete_chr_file_perms.
There was a problem hiding this comment.
Thanks for catching this. This is supposed to be setattr instead.
0xC0ncord
force-pushed
the
various-20231217
branch
from
e9654bf to
8cec6fa
Compare
As of systemd 255, services are no longer forked from PID 1 but instead are spawned by a new systemd-executor helper binary. Label this binary accordingly and add a rule for systemd user session domains to use it. Closes: SELinuxProject#732 Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Seems to be needed as of systemd 255 for writing to /run/systemd/private. Signed-off-by: Kenton Groombridge <[email protected]>
Add new required accesses for systemd-pcrphase and label the new systemd-pcrextend under the same domain. Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Fixes for su to allow writing to faillog, lastlog, and wtmp. Signed-off-by: Kenton Groombridge <[email protected]>
Seen with systemd 255.
type=AVC msg=audit(1702835409.236:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bsg/17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.236:65): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.236:66): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="17:0:0:0" dev="devtmpfs" ino=350 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:scsi_generic_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:69): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/bus/usb/001/002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:70): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
type=AVC msg=audit(1702835409.496:71): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="002" dev="devtmpfs" ino=314 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:usb_device_t:s0 tclass=chr_file permissive=1
Signed-off-by: Kenton Groombridge <[email protected]>
0xC0ncord
force-pushed
the
various-20231217
branch
from
8cec6fa to
0f6361d
Compare
pebenito
approved these changes
Jan 10, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Some various fixes including changes needed to fix new AVCs with systemd 255.
With this set of changes we also implement the proposed fix in #732.