Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow some confined users send to lldpad over a unix dgram socket
Note this is for lldptool and vdptool connecting to the lldpad daemon
from the lldpad package - Intel LLDP Agent.
The commit addresses the following AVC denial example:
type=PROCTITLE msg=audit(10/24/2024 10:22:07.718:854) : proctitle=lldptool -p
type=SOCKADDR msg=audit(10/24/2024 10:22:07.718:854) : saddr={ saddr_fam=local path=/com/intel/lldpad }
type=SYSCALL msg=audit(10/24/2024 10:22:07.718:854) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55c239a95312 a2=0x14 a3=0x0 items=0 ppid=10028 pid=10029 auid=user27128 uid=user27128 gid=user27128 euid=user27128 suid=user27128 fsuid=user27128 egid=user27128 sgid=user27128 fsgid=user27128 tty=pts3 ses=6 comm=lldptool exe=/usr/sbin/lldptool subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/24/2024 10:22:07.718:854) : avc: denied { sendto } for pid=10029 comm=lldptool path=/com/intel/lldpad scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lldpad_t:s0 tclass=unix_dgram_socket permissive=0
Resolves: RHEL-58072- Loading branch information
