Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add rpc.nfsd the lease capability #1935

Draft
wants to merge 1 commit into
base: rawhide
Choose a base branch
from
Draft

Add rpc.nfsd the lease capability #1935

wants to merge 1 commit into from

Conversation

zpytela
Copy link
Contributor

@zpytela zpytela commented Nov 13, 2023

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(22.09.2023 08:55:06.703:16943) : proctitle=/usr/sbin/rpc.nfsd 0 type=SYSCALL msg=audit(22.09.2023 08:55:06.703:16943) : arch=x86_64 syscall=write success=yes exit=2 a0=0x3 a1=0x55cd1ed16c60 a2=0x2 a3=0x0 items=0 ppid=1 pid=47262 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null) type=AVC msg=audit(22.09.2023 08:55:06.703:16943) : avc: denied { lease } for pid=47262 comm=rpc.nfsd capability=lease scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0

Resolves: rhbz#2216408

@packit-as-a-service Packit-as-a-Service
Copy link

Cockpit tests failed for commit 190e052. @martinpitt, @jelly, @mvollmer please check.

@WOnder93
Copy link
Member

success=yes + permissive=0 -> maybe it should be dontaudited instead? Do we have a kernel backtrace?

@zpytela
Copy link
Contributor Author

zpytela commented Nov 13, 2023

success=yes + permissive=0 -> maybe it should be dontaudited instead? Do we have a kernel backtrace?

tracefs backtrace here:
https://bugzilla.redhat.com/show_bug.cgi?id=2216408#c8

but it probably relates only to sock_file execute issue which was addressed a different way

@zpytela
Add rpc.nfsd the lease capability
fec36d7 
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(22.09.2023 08:55:06.703:16943) : proctitle=/usr/sbin/rpc.nfsd 0
type=SYSCALL msg=audit(22.09.2023 08:55:06.703:16943) : arch=x86_64 syscall=write success=yes exit=2 a0=0x3 a1=0x55cd1ed16c60 a2=0x2 a3=0x0 items=0 ppid=1 pid=47262 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc.nfsd exe=/usr/sbin/rpc.nfsd subj=system_u:system_r:nfsd_t:s0 key=(null)
type=AVC msg=audit(22.09.2023 08:55:06.703:16943) : avc:  denied  { lease } for  pid=47262 comm=rpc.nfsd capability=lease  scontext=system_u:system_r:nfsd_t:s0 tcontext=system_u:system_r:nfsd_t:s0 tclass=capability permissive=0

Resolves: rhbz#2216408
@WOnder93
Copy link
Member

tracefs backtrace here: https://bugzilla.redhat.com/show_bug.cgi?id=2216408#c8

but it probably relates only to sock_file execute issue which was addressed a different way

Yes, that's unrelated to this denial.

@zpytela zpytela marked this pull request as draft November 14, 2023 13:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@zpytela @WOnder93