Various fixes #787
Merged
Various fixes #787
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
For the systemd user manager containers access, I have so far only added the template and the access needed for the systemd generator to fire, but I haven't tested actually running a container just yet. Any permissions still needed will go there. |
pebenito
requested changes
Jun 27, 2024
policy/modules/services/container.te
Outdated
| @@ -317,6 +317,7 @@ allow container_domain container_ro_file_t:sock_file read_sock_file_perms; | |||
| fs_tmpfs_filetrans(container_domain, container_tmpfs_t, { dir file fifo_file lnk_file sock_file }) | |||
| manage_dirs_pattern(container_domain, container_tmpfs_t, container_tmpfs_t) | |||
| mmap_manage_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t) | |||
| exec_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t) | |||
There was a problem hiding this comment.
Is the full execute_no_trans needed or only execute?
There was a problem hiding this comment.
Yes, only execute is needed. Changing this accordingly.
There was a problem hiding this comment.
In that case, you want mmap_exec_files_pattern instead of can_exec.
This is to avoid a long timeout in pam_systemd when logging on. This is the second half of the fix described in ddc6ac4. Signed-off-by: Kenton Groombridge <[email protected]>
ip wants to read files in /usr/share/iproute2.
type=AVC msg=audit(1715785441.968:297208): avc: denied { read } for pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
sudo sends a SIGWINCH to child processes when invoked. If an
administrator uses sudo in the fashion of "sudo su - root", sudo will
send a signal to the corresponding su process.
type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74
type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
type=AVC msg=audit(1715721229.386:293930): avc: denied { signal } for pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Commit 4e7511f previously added access for init to use DBUS system bus file descriptors while the intended access was for pidfds. Add an interface for pidfd usage so that when pidfds are eventually handled separately from regular fds, this interface can be adjusted. Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
0xC0ncord
force-pushed
the
various/20240515
branch
from
afcc9b6
to
723bd7d
Compare
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
ping will check whether IPv6 is disabled. Signed-off-by: Kenton Groombridge <[email protected]>
type=AVC msg=audit(1719451104.395:18364): avc: denied { watch } for pid=288883 comm="deliver" path="/var/spool/mail/domains/concord.sh/[email protected]/mail/dovecot-uidlist.lock" dev="dm-0" ino=17638966 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
For NFS mounts. Signed-off-by: Kenton Groombridge <[email protected]>
0xC0ncord
force-pushed
the
various/20240515
branch
from
723bd7d
to
0126cb1
Compare
pebenito
approved these changes
Jun 28, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
More various fixes, of note:
sudo su