| Commit message (Collapse) | Author | Age | Files | Lines |
... | |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
type=PROCTITLE msg=audit(21/02/24 22:31:50.044:122) : proctitle=restorecon -vRn -T0 /
type=SYSCALL msg=audit(21/02/24 22:31:50.044:122) : arch=x86_64 syscall=sched_getaffinity success=yes exit=8 a0=0x0 a1=0x1000 a2=0x7fc235649bf0 a3=0x0 items=0 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:31:50.044:122) : avc: denied { getsched } for pid=13398 comm=restorecon scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tclass=process permissive=1
type=PROCTITLE msg=audit(21/02/24 22:31:55.040:123) : proctitle=restorecon -vRn -T0 /
type=PATH msg=audit(21/02/24 22:31:55.040:123) : item=0 name=/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure inode=2455 dev=00:1b mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:memory_pressure_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:31:55.040:123) : cwd=/root/workspace/selinux/refpolicy/refpolicy
type=SYSCALL msg=audit(21/02/24 22:31:55.040:123) : arch=x86_64 syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x557264466530 a2=0x7fc2004cacc0 a3=0x100 items=1 ppid=1103 pid=13398 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:31:55.040:123) : avc: denied { getattr } for pid=13398 comm=restorecon path=/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure dev="cgroup2" ino=2455 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:memory_pressure_t:s0 tclass=file permissive=1
type=PROCTITLE msg=audit(21/02/24 22:32:15.512:126) : proctitle=restorecon -vRFn -T0 /usr/
type=PATH msg=audit(21/02/24 22:32:15.512:126) : item=0 name=/proc/sys/vm/overcommit_memory inode=41106 dev=00:16 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_overcommit_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(21/02/24 22:32:15.512:126) : cwd=/root/workspace/selinux/refpolicy/refpolicy
type=SYSCALL msg=audit(21/02/24 22:32:15.512:126) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x7f59f7316810 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1103 pid=13491 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=restorecon exe=/usr/sbin/setfiles subj=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { open } for pid=13491 comm=restorecon path=/proc/sys/vm/overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1
type=AVC msg=audit(21/02/24 22:32:15.512:126) : avc: denied { read } for pid=13491 comm=restorecon name=overcommit_memory dev="proc" ino=41106 scontext=unconfined_u:unconfined_r:setfiles_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_vm_overcommit_t:s0 tclass=file permissive=1
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
In case of a non-default toolchain also set the environment variable
PTYHONPATH to run sepolgen related python code from that toolchain.
See scripts/env_use_destdir in the SELinux userland repository.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
When building with a non default toolchain by setting the environment
variable TEST_TOOLCHAIN also use the sepolgen-ifgen helper binary
sepolgen-ifgen-attr-helper from this toolchain.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
| |
Save the result of the m4 command into a temporary file and split the
commands, to avoid ignoring failures of the first command.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
| |
On install pre-compile the file contexts.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Support splitting the call of an interface over multiple lines, e.g. for
interfaces with a long list as argument:
term_control_unallocated_ttys(udev_t, {
ioctl_kdgkbtype
ioctl_kdgetmode
ioctl_pio_unimap
ioctl_pio_unimapclr
ioctl_kdfontop
ioctl_tcgets
})
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
| |
Added in Linux 6.0.
Link: https://github.com/SELinuxProject/selinux-kernel/commit/f4d653dcaa4e4056e1630423e6a8ece4869b544f
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
| |
Allow a similar amount of admin capability to cloud-init as sysadm. Also add
a tunable to allow non-security file management for fallback.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
| |
Additional access for controlling systemd units and logind dbus chat.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
| |
CRI-O will read container registry configuration data from the running
user's home (root) and will abort if unable to do so.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
| |
This is needed now that /etc/exports.d is labeled appropriately.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
| |
dbus-broker checks the status of systemd-logind.
type=USER_AVC msg=audit(1705109503.237:123): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc: denied { status } for auid=n/a uid=0 gid=101 path="/usr/lib /systemd/system/systemd-logind.service" cmdline="/usr/bin/dbus-broker-launch --scope system --audit" function="reply_unit_path" scontext=system_u:system_r:system_dbusd_t:s0 tcontext=system_u:object_r:systemd_unit_t:s0 tclass=service permissive=1 exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
| |
Fix the filecon for /etc/exports.d to also label the directory itself.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Resolve these AVCs seen during early boot with systemd 255:
Jan 12 15:42:02 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092122.714:4): avc: denied { create } for pid=1 comm="systemd" scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=netlink_netfilter_socket permissive=0
Jan 12 15:42:03 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092123.656:7): avc: denied { setrlimit } for pid=2578 comm="systemd-udevd" scontext=system_u:system_r:udev_t:s0 tcontext=system_u:system_r:udev_t:s0 tclass=process permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.960:9): avc: denied { write } for pid=2629 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.961:10): avc: denied { write } for pid=2629 comm="sysctl" name="nlm_udpport" dev="proc" ino=31905 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:04 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092124.963:11): avc: denied { write } for pid=2632 comm="sysctl" name="nlm_tcpport" dev="proc" ino=31904 scontext=system_u:system_r:udev_t:s0 tcontext=system_u:object_r:sysctl_fs_t:s0 tclass=file permissive=0
Jan 12 15:42:08 rem.fuwafuwatime.moe kernel: audit: type=1400 audit(1705092128.530:16): avc: denied { net_admin } for pid=3033 comm="bootctl" capability=12 scontext=system_u:system_r:bootloader_t:s0 tcontext=system_u:system_r:bootloader_t:s0 tclass=capability permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Seen with systemd 255. This initially did not seem to impact anything,
but after a while I found that the kubernetes kubelet agent would not
start without this access.
type=AVC msg=audit(1705092131.239:37): avc: denied { use } for pid=1 comm="systemd" path="anon_inode:[pidfd]" dev="anon_inodefs" ino=10 scontext=system_u:system_r:init_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0 tclass=fd permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Seen with systemd 255.
type=AVC msg=audit(1705092132.309:64): avc: denied { getattr } for pid=178 comm="kdevtmpfs" path="/input/mouse0" dev="devtmpfs" ino=328 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:52): avc: denied { setattr } for pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
type=AVC msg=audit(1705108275.269:53): avc: denied { unlink } for pid=178 comm="kdevtmpfs" name="mouse0" dev="devtmpfs" ino=327 scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:object_r:mouse_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Needed by zfs-mount.service.
type=PROCTITLE msg=audit(1705092131.987:49): proctitle=2F7362696E2F7A6673007368617265002D61
type=SYSCALL msg=audit(1705092131.987:49): arch=c000003e syscall=257 success=no exit=-13 a0=ffffff9c a1=665f44189eba a2=80042 a3=180 items=0 ppid=1 pid=3082 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="zfs" exe="/usr/bin/zfs" subj=system_u:system_r:zfs_t:s0 key=(null)
type=AVC msg=audit(1705092131.987:49): avc: denied { write } for pid=3082 comm="zfs" name="zfs.exports.lock" dev="dm-0" ino=1296 scontext=system_u:system_r:zfs_t:s0 tcontext=system_u:object_r:exports_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
| |
Label the systemd-pcrlock binary as systemd_pcrphase_exec_t.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
| |
The kubelet routinely measures metrics and accounting for all
containers which involves calculating resource utilization for both
running containers and the contents of their images on disk.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
systemd-machine-id-setup's role is to commit the host's machine id
to /etc/machine-id. The behavior of this process has changed slightly,
whereby a tmpfs is temporarily created on top of /etc/machine-id during
boot which is then read by systemd-machine-id-setup and written directly
to the underlying file.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
| |
This is triggered rook-ceph creates its OSDs.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|