-
Notifications
You must be signed in to change notification settings - Fork 125
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Various fixes #787
Various fixes #787
Conversation
For the systemd user manager containers access, I have so far only added the template and the access needed for the systemd generator to fire, but I haven't tested actually running a container just yet. Any permissions still needed will go there. |
policy/modules/services/container.te
Outdated
@@ -317,6 +317,7 @@ allow container_domain container_ro_file_t:sock_file read_sock_file_perms; | |||
fs_tmpfs_filetrans(container_domain, container_tmpfs_t, { dir file fifo_file lnk_file sock_file }) | |||
manage_dirs_pattern(container_domain, container_tmpfs_t, container_tmpfs_t) | |||
mmap_manage_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t) | |||
exec_files_pattern(container_domain, container_tmpfs_t, container_tmpfs_t) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is the full execute_no_trans
needed or only execute
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, only execute
is needed. Changing this accordingly.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In that case, you want mmap_exec_files_pattern
instead of can_exec
.
This is to avoid a long timeout in pam_systemd when logging on. This is the second half of the fix described in ddc6ac4. Signed-off-by: Kenton Groombridge <[email protected]>
ip wants to read files in /usr/share/iproute2. type=AVC msg=audit(1715785441.968:297208): avc: denied { read } for pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
sudo sends a SIGWINCH to child processes when invoked. If an administrator uses sudo in the fashion of "sudo su - root", sudo will send a signal to the corresponding su process. type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74 type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null) type=AVC msg=audit(1715721229.386:293930): avc: denied { signal } for pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0 Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
Commit 4e7511f previously added access for init to use DBUS system bus file descriptors while the intended access was for pidfds. Add an interface for pidfd usage so that when pidfds are eventually handled separately from regular fds, this interface can be adjusted. Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
afcc9b6
to
723bd7d
Compare
Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
ping will check whether IPv6 is disabled. Signed-off-by: Kenton Groombridge <[email protected]>
type=AVC msg=audit(1719451104.395:18364): avc: denied { watch } for pid=288883 comm="deliver" path="/var/spool/mail/domains/concord.sh/[email protected]/mail/dovecot-uidlist.lock" dev="dm-0" ino=17638966 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0 Signed-off-by: Kenton Groombridge <[email protected]>
Signed-off-by: Kenton Groombridge <[email protected]>
For NFS mounts. Signed-off-by: Kenton Groombridge <[email protected]>
723bd7d
to
0126cb1
Compare
More various fixes, of note:
sudo su