| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
| |
Minor fixes for phpfpm and add several new tunables, primarily designed
to get various webapps working under SELinux.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
| |
Various fixes for nginx, and also allow nginx to list and read user home
content given that the httpd_read_user_content boolean is enabled.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
|
| |
When portage syncs a repo with git, git will mmap() ebuild files. Allow
portage to map ebuild files to fix permission denied errors on syncing.
Bug: https://bugs.gentoo.org/833017
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Bug: https://bugs.gentoo.org/840230
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Bug: https://bugs.gentoo.org/840230
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
|
|
| |
Tried a partial revert in order to match upstream but validation still
fails so fully revert again.
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
| |
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
| |
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Seeing error:
Failed to initalize SELinux labeling handle: No such file or directory
but no denials. With strace (and looking at source) found it is
opening /etc/selinux/config
openat(AT_FDCWD, "/etc/selinux/config", O_RDONLY|O_CLOEXEC) = 3
but that was dontaudited.
allow systemd_update_done_t file_type:filesystem getattr;
allow systemd_update_done_t selinux_config_t:dir { getattr open search };
dontaudit systemd_update_done_t selinux_config_t:dir { getattr open search };
dontaudit systemd_update_done_t selinux_config_t:file { getattr ioctl lock open read };
These changes fix the issue
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
node=localhost type=AVC msg=audit(1661480051.880:321): avc: denied { create } for pid=1027 comm="(d-logind)" name="linger" scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:systemd_logind_var_lib_t:s0 tclass=dir permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
node=localhost type=USER_AVC msg=audit(1661536843.099:11666): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=system_u:system_r:firewalld_t:s0 tcontext=toor_u:sysadm_r:sysadm_t:s0 tclass=dbus permissive=1 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
node=localhost type=USER_AVC msg=audit(1661536101.833:8373): pid=1037 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc: denied { send_msg } for scontext=toor_u:sysadm_r:sysadm_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-broker" sauid=81 hostname=? addr=? terminal=?'UID="dbus" AUID="unset" SAUID="dbus"
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
node=localhost type=AVC msg=audit(1661536245.787:9531): avc: denied { write } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { map } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661536245.788:9532): avc: denied { read execute } for pid=1008 comm="firewalld" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=2564 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
node=localhost type=AVC msg=audit(1661468040.428:439): avc: denied { module_request } for pid=1009 comm="firewalld" kmod="nft-chain-1-nat" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
node=localhost type=AVC msg=audit(1661396059.060:376): avc: denied { create } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.060:377): avc: denied { setopt } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.436:398): avc: denied { write } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.436:399): avc: denied { read } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
node=localhost type=AVC msg=audit(1661396059.437:400): avc: denied { getopt } for pid=1014 comm="firewalld" scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:system_r:firewalld_t:s0 tclass=netlink_netfilter_socket permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { search } for pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { read } for pid=1014 comm="firewalld" name="fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.360:317): avc: denied { open } for pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.361:318): avc: denied { getattr } for pid=1014 comm="firewalld" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10511 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661396058.664:340): avc: denied { search } for pid=1014 comm="firewalld" name="crypto" dev="proc" ino=10510 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { search } for pid=1031 comm="usbguard-daemon" name="crypto" dev="proc" ino=20463 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { read } for pid=1031 comm="usbguard-daemon" name="fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661391275.238:339): avc: denied { open } for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661391275.238:340): avc: denied { getattr } for pid=1031 comm="usbguard-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=20464 scontext=system_u:system_r:usbguard_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/*
node=localhost type=AVC msg=audit(1661344395.351:395): avc: denied { getattr } for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { read } for pid=1014 comm="chronyd" name="gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344395.351:396): avc: denied { open } for pid=1014 comm="chronyd" path="/usr/share/crypto-policies/FIPS/gnutls.txt" dev="dm-0" ino=402142 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { search } for pid=1014 comm="chronyd" name="crypto" dev="proc" ino=10742 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { read } for pid=1014 comm="chronyd" name="fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:355): avc: denied { open } for pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661344394.902:356): avc: denied { getattr } for pid=1014 comm="chronyd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10743 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
With RHEL9 /etc/crypto-policies/back-ends are symlinks to /usr/share/crypto-policies/*/*
node=localhost type=AVC msg=audit(1661303919.946:335): avc: denied { getattr } for pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { read } for pid=1025 comm="ssh-keygen" name="opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1661303919.946:336): avc: denied { open } for pid=1025 comm="ssh-keygen" path="/usr/share/crypto-policies/FIPS/opensslcnf.txt" dev="dm-0" ino=396589 scontext=system_u:system_r:ssh_keygen_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
Change to refpolicy interfaces and fix optional blocks.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
This is used by cloud providers to set up VMs during deployment.
https://github.com/canonical/cloud-init
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
Adds necessary baseline permissions for the command.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
interfaces
Historically, these calls were needed because the interfaces provided an
attribute used to check various assertions. However, that attribute was
dropped in 2005 with commit 15fefa4.
Keeping these calls in prevents removing these permissions from a call
to files_manage_all_files() with the $2 argument.
Signed-off-by: Daniel Burgener <dburgener@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
Add more comments.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
Collapse file constraints as they are equivalent due to the same expresssions.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Pat Riehecky <riehecky@fnal.gov>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is needed for console/serial logins:
avc: denied { use } for pid=767 comm="semodule" path="/dev/ttyS0"
dev="devtmpfs" ino=83
scontext=unconfined_u:unconfined_r:semanage_t:s0-s0:c0.c1023
tcontext=system_u:system_r:init_t:s0 tclass=fd permissive=0
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
There should be no device_t device nodes, but add access in case they
exist. Saw containerd fail to start containers if it couldn't stat() all
devices.
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
avc: denied { ioctl } for pid=7230 comm="ip6tables" path="/sys/fs/cgroup" dev="cgroup2" ino=1
scontext=system_u:system_r:iptables_t:s0
tcontext=system_u:object_r:cgroup_t:s0 tclass=dir
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <Christopher.PeBenito@microsoft.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|