Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update for the 20240507 build #2111

Merged
merged 14 commits into from
May 7, 2024
Merged

Conversation

zpytela
Copy link
Contributor

@zpytela zpytela commented May 7, 2024

No description provided.

zpytela and others added 14 commits May 7, 2024 18:53
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/10/2024 04:54:54.905:788) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra
type=PATH msg=audit(04/10/2024 04:54:54.905:788) : item=0 name=/proc/sys/vm/max_map_count inode=68303 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(04/10/2024 04:54:54.905:788) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x557ed6d62074 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=23797 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c475,c934 key=(null)
type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc:  denied  { open } for  pid=23797 comm=qemu-kvm path=/proc/sys/vm/max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1
type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc:  denied  { read } for  pid=23797 comm=qemu-kvm name=max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1

Resolves: RHEL-32296
This interface allows a domain to execute crontab and transition to
crontab_t domain.

Resolves: RHEL-31888
This interface allows a admin domain to execute crontab and transition
to admin_crontab_t domain.

Resolves: RHEL-31888
Addresses the following error:
type=PROCTITLE msg=audit(02/16/2024 05:30:44.450:614) : proctitle=sudo -u user30731 crontab -r
type=PATH msg=audit(02/16/2024 05:30:44.450:614) : item=0 name=/bin/crontab inode=589204 dev=fd:00 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:crontab_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(02/16/2024 05:30:44.450:614) : cwd=/home/user30731
type=SYSCALL msg=audit(02/16/2024 05:30:44.450:614) : arch=ppc64le syscall=execve success=no exit=EACCES(Permission denied) a0=0x10034c28b18 a1=0x10034c19408 a2=0x10034c119a0 a3=0x10034c119a0 items=1 ppid=31112 pid=31113 auid=user30731 uid=user30731 gid=user30731 euid=user30731 suid=user30731 fsuid=user30731 egid=user30731 sgid=user30731 fsgid=user30731 tty=pts2 ses=12 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null)
type=SELINUX_ERR msg=audit(02/16/2024 05:30:44.450:614) : op=security_compute_sid invalid_context=sysadm_u:sysadm_r:crontab_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process

Resolves: RHEL-31888
So far, only /dev/mmcblk.* block devices were assigned that label.
This commit adds the label for character device for the RPMB
(Replay Protected Memory Block) standard.

Resolves: RHEL-28080
Bootupd is a small socket activated program that takes care of updating the bootloader.

Resolves: RHEL-22172
Resolves: RHEL-22172
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(06/27/2023 19:22:31.060:6277) : proctitle=/usr/libexec/bootupd daemon -v
type=PATH msg=audit(06/27/2023 19:22:31.060:6277) : item=0 name=/boot/efi/EFI inode=1048592 dev=103:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dosfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(06/27/2023 19:22:31.060:6277) : arch=x86_64 syscall=openat success=yes exit=7 a0=0x6 a1=0x5602cecb1310 a2=O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH a3=0x0 items=1 ppid=1 pid=134959 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootupd exe=/usr/libexec/bootupd subj=system_u:system_r:bootupd_t:s0 key=(null)
type=AVC msg=audit(06/27/2023 19:22:31.060:6277) : avc:  denied  { search } for  pid=134959 comm=bootupd name=/ dev="nvme0n1p3" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1

Resolves: RHEL-22172
Resolves: rhbz#2254975

Resolves: RHEL-22173
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(04/23/2024 18:03:36.617:3479) : proctitle=/usr/bin/numad -i 15
type=SYSCALL msg=audit(04/23/2024 18:03:36.617:3479) : arch=x86_64 syscall=read success=yes exit=169 a0=0x1 a1=0x55cf0c6d4240 a2=0x400 a3=0x0 items=0 ppid=1 pid=3200 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=numad exe=/usr/bin/numad subj=system_u:system_r:numad_t:s0 key=(null)
type=AVC msg=audit(04/23/2024 18:03:36.617:3479) : avc:  denied  { sys_ptrace } for  pid=3200 comm=numad capability=sys_ptrace  scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0

Resolves: RHEL-33994
@zpytela zpytela merged commit 4188842 into fedora-selinux:c9s May 7, 2024
0 of 2 checks passed
@zpytela zpytela deleted the c9s-20240507-build branch May 7, 2024 20:05
@jlebon
Copy link
Contributor

jlebon commented May 23, 2024

Some fallout in openshift/os#1514.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants