Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update for the 20240507 build #2111

Merged
merged 14 commits into from
May 7, 2024
Merged

Update for the 20240507 build #2111

merged 14 commits into from
May 7, 2024

Commits on May 7, 2024

  1. Allow svirt_t read vm sysctls 

    The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/10/2024 04:54:54.905:788) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra
type=PATH msg=audit(04/10/2024 04:54:54.905:788) : item=0 name=/proc/sys/vm/max_map_count inode=68303 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(04/10/2024 04:54:54.905:788) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x557ed6d62074 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=23797 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c475,c934 key=(null)
type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc:  denied  { open } for  pid=23797 comm=qemu-kvm path=/proc/sys/vm/max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc:  denied  { read } for  pid=23797 comm=qemu-kvm name=max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1

Resolves: RHEL-32296
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    3e22aa3 View commit details
    Browse the repository at this point in the history

  2. Add crontab_domtrans interface 

    This interface allows a domain to execute crontab and transition to
crontab_t domain.

Resolves: RHEL-31888
    @JurajMarcin @zpytela
    JurajMarcin authored and zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    769e4b4 View commit details
    Browse the repository at this point in the history

  3. Add crontab_admin_domtrans interface 

    This interface allows a admin domain to execute crontab and transition
to admin_crontab_t domain.

Resolves: RHEL-31888
    @JurajMarcin @zpytela
    JurajMarcin authored and zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    4bd8f6e View commit details
    Browse the repository at this point in the history

  4. Differentiate between staff and sysadm when executing crontab with sudo 

    Addresses the following error:
type=PROCTITLE msg=audit(02/16/2024 05:30:44.450:614) : proctitle=sudo -u user30731 crontab -r
type=PATH msg=audit(02/16/2024 05:30:44.450:614) : item=0 name=/bin/crontab inode=589204 dev=fd:00 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:crontab_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/16/2024 05:30:44.450:614) : cwd=/home/user30731
type=SYSCALL msg=audit(02/16/2024 05:30:44.450:614) : arch=ppc64le syscall=execve success=no exit=EACCES(Permission denied) a0=0x10034c28b18 a1=0x10034c19408 a2=0x10034c119a0 a3=0x10034c119a0 items=1 ppid=31112 pid=31113 auid=user30731 uid=user30731 gid=user30731 euid=user30731 suid=user30731 fsuid=user30731 egid=user30731 sgid=user30731 fsgid=user30731 tty=pts2 ses=12 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(02/16/2024 05:30:44.450:614) : op=security_compute_sid invalid_context=sysadm_u:sysadm_r:crontab_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process

Resolves: RHEL-31888
    @JurajMarcin @zpytela
    JurajMarcin authored and zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    f958670 View commit details
    Browse the repository at this point in the history

  5. Label /dev/mmcblk0rpmb character device with removable_device_t 

    So far, only /dev/mmcblk.* block devices were assigned that label.
This commit adds the label for character device for the RPMB
(Replay Protected Memory Block) standard.

Resolves: RHEL-28080
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    93ecc54 View commit details
    Browse the repository at this point in the history

  6. Add policy for bootupd 

    Bootupd is a small socket activated program that takes care of updating the bootloader.

Resolves: RHEL-22172
    @5umm3r15 @zpytela
    5umm3r15 authored and zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    1f2d997 View commit details
    Browse the repository at this point in the history

  7. Add the bootupd module 

    Resolves: RHEL-22172
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    2e4a336 View commit details
    Browse the repository at this point in the history

  8. Allow bootupd search EFI directory 

    The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(06/27/2023 19:22:31.060:6277) : proctitle=/usr/libexec/bootupd daemon -v
type=PATH msg=audit(06/27/2023 19:22:31.060:6277) : item=0 name=/boot/efi/EFI inode=1048592 dev=103:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dosfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(06/27/2023 19:22:31.060:6277) : arch=x86_64 syscall=openat success=yes exit=7 a0=0x6 a1=0x5602cecb1310 a2=O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH a3=0x0 items=1 ppid=1 pid=134959 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootupd exe=/usr/libexec/bootupd subj=system_u:system_r:bootupd_t:s0 key=(null)
type=AVC msg=audit(06/27/2023 19:22:31.060:6277) : avc:  denied  { search } for  pid=134959 comm=bootupd name=/ dev="nvme0n1p3" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1

Resolves: RHEL-22172
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    5f9f7b6 View commit details
    Browse the repository at this point in the history

  9. Update afterburn policy 

    Resolves: rhbz#2254975

Resolves: RHEL-22173
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    ab2e32a View commit details
    Browse the repository at this point in the history

  10. Remove permissive domain for afterburn_t 

    Resolves: RHEL-22173
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    01cbd2e View commit details
    Browse the repository at this point in the history

  11. Remove permissive domain for coreos_installer_t 

    Resolves: RHEL-22173
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    31baf05 View commit details
    Browse the repository at this point in the history

  12. Remove permissive domain for mptcpd_t 

    Resolves: RHEL-22173
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    ef7df27 View commit details
    Browse the repository at this point in the history

  13. Remove permissive domain for rshim_t 

    Resolves: RHEL-22173
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    5c85b0f View commit details
    Browse the repository at this point in the history

  14. Allow numad to trace processes in user namespace 

    The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/23/2024 18:03:36.617:3479) : proctitle=/usr/bin/numad -i 15
type=SYSCALL msg=audit(04/23/2024 18:03:36.617:3479) : arch=x86_64 syscall=read success=yes exit=169 a0=0x1 a1=0x55cf0c6d4240 a2=0x400 a3=0x0 items=0 ppid=1 pid=3200 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=numad exe=/usr/bin/numad subj=system_u:system_r:numad_t:s0 key=(null)
type=AVC msg=audit(04/23/2024 18:03:36.617:3479) : avc:  denied  { sys_ptrace } for  pid=3200 comm=numad capability=sys_ptrace  scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0

Resolves: RHEL-33994
    @zpytela
    zpytela committed May 7, 2024
    Configuration menu
    Copy the full SHA
    b7f3316 View commit details
    Browse the repository at this point in the history