Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update for the 20240507 build #2111

Merged
merged 14 commits into from
May 7, 2024
Merged

Update for the 20240507 build #2111

merged 14 commits into from
May 7, 2024

Conversation

zpytela
Copy link
Contributor

@zpytela zpytela commented May 7, 2024

No description provided.

zpytela and others added 14 commits May 7, 2024 18:53
@zpytela
Allow svirt_t read vm sysctls
3e22aa3 
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/10/2024 04:54:54.905:788) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra
type=PATH msg=audit(04/10/2024 04:54:54.905:788) : item=0 name=/proc/sys/vm/max_map_count inode=68303 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(04/10/2024 04:54:54.905:788) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x557ed6d62074 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=23797 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c475,c934 key=(null)
type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc:  denied  { open } for  pid=23797 comm=qemu-kvm path=/proc/sys/vm/max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc:  denied  { read } for  pid=23797 comm=qemu-kvm name=max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1

Resolves: RHEL-32296
@JurajMarcin @zpytela
Add crontab_domtrans interface
769e4b4 
This interface allows a domain to execute crontab and transition to
crontab_t domain.

Resolves: RHEL-31888
@JurajMarcin @zpytela
Add crontab_admin_domtrans interface
4bd8f6e 
This interface allows a admin domain to execute crontab and transition
to admin_crontab_t domain.

Resolves: RHEL-31888
@JurajMarcin @zpytela
Differentiate between staff and sysadm when executing crontab with sudo
f958670 
Addresses the following error:
type=PROCTITLE msg=audit(02/16/2024 05:30:44.450:614) : proctitle=sudo -u user30731 crontab -r
type=PATH msg=audit(02/16/2024 05:30:44.450:614) : item=0 name=/bin/crontab inode=589204 dev=fd:00 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:crontab_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/16/2024 05:30:44.450:614) : cwd=/home/user30731
type=SYSCALL msg=audit(02/16/2024 05:30:44.450:614) : arch=ppc64le syscall=execve success=no exit=EACCES(Permission denied) a0=0x10034c28b18 a1=0x10034c19408 a2=0x10034c119a0 a3=0x10034c119a0 items=1 ppid=31112 pid=31113 auid=user30731 uid=user30731 gid=user30731 euid=user30731 suid=user30731 fsuid=user30731 egid=user30731 sgid=user30731 fsgid=user30731 tty=pts2 ses=12 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(02/16/2024 05:30:44.450:614) : op=security_compute_sid invalid_context=sysadm_u:sysadm_r:crontab_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process

Resolves: RHEL-31888
@zpytela
Label /dev/mmcblk0rpmb character device with removable_device_t
93ecc54 
So far, only /dev/mmcblk.* block devices were assigned that label.
This commit adds the label for character device for the RPMB
(Replay Protected Memory Block) standard.

Resolves: RHEL-28080
@5umm3r15 @zpytela
Add policy for bootupd
1f2d997 
Bootupd is a small socket activated program that takes care of updating the bootloader.

Resolves: RHEL-22172
@zpytela
Add the bootupd module
2e4a336 
Resolves: RHEL-22172
@zpytela
Allow bootupd search EFI directory
5f9f7b6 
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(06/27/2023 19:22:31.060:6277) : proctitle=/usr/libexec/bootupd daemon -v
type=PATH msg=audit(06/27/2023 19:22:31.060:6277) : item=0 name=/boot/efi/EFI inode=1048592 dev=103:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dosfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(06/27/2023 19:22:31.060:6277) : arch=x86_64 syscall=openat success=yes exit=7 a0=0x6 a1=0x5602cecb1310 a2=O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH a3=0x0 items=1 ppid=1 pid=134959 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootupd exe=/usr/libexec/bootupd subj=system_u:system_r:bootupd_t:s0 key=(null)
type=AVC msg=audit(06/27/2023 19:22:31.060:6277) : avc:  denied  { search } for  pid=134959 comm=bootupd name=/ dev="nvme0n1p3" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1

Resolves: RHEL-22172
@zpytela
Update afterburn policy
ab2e32a 
Resolves: rhbz#2254975

Resolves: RHEL-22173
@zpytela
Remove permissive domain for afterburn_t
01cbd2e 
Resolves: RHEL-22173
@zpytela
Remove permissive domain for coreos_installer_t
31baf05 
Resolves: RHEL-22173
@zpytela
Remove permissive domain for mptcpd_t
ef7df27 
Resolves: RHEL-22173
@zpytela
Remove permissive domain for rshim_t
5c85b0f 
Resolves: RHEL-22173
@zpytela
Allow numad to trace processes in user namespace
b7f3316 
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/23/2024 18:03:36.617:3479) : proctitle=/usr/bin/numad -i 15
type=SYSCALL msg=audit(04/23/2024 18:03:36.617:3479) : arch=x86_64 syscall=read success=yes exit=169 a0=0x1 a1=0x55cf0c6d4240 a2=0x400 a3=0x0 items=0 ppid=1 pid=3200 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=numad exe=/usr/bin/numad subj=system_u:system_r:numad_t:s0 key=(null)
type=AVC msg=audit(04/23/2024 18:03:36.617:3479) : avc:  denied  { sys_ptrace } for  pid=3200 comm=numad capability=sys_ptrace  scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0

Resolves: RHEL-33994
@zpytela zpytela merged commit 4188842 into fedora-selinux:c9s May 7, 2024
0 of 2 checks passed
@zpytela zpytela deleted the c9s-20240507-build branch May 7, 2024 20:05
@jlebon jlebon mentioned this pull request May 23, 2024
Open
@jlebon
Copy link
Contributor

jlebon commented May 23, 2024

Some fallout in openshift/os#1514.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@zpytela @jlebon @JurajMarcin @5umm3r15