-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update for the 20240507 build #2111
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The commit addresses the following AVC denial: type=PROCTITLE msg=audit(04/10/2024 04:54:54.905:788) : proctitle=/usr/libexec/qemu-kvm -name guest=avocado-vt-vm1,debug-threads=on -S -object {"qom-type":"secret","id":"masterKey0","format":"ra type=PATH msg=audit(04/10/2024 04:54:54.905:788) : item=0 name=/proc/sys/vm/max_map_count inode=68303 dev=00:14 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysctl_vm_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(04/10/2024 04:54:54.905:788) : arch=x86_64 syscall=openat success=yes exit=3 a0=AT_FDCWD a1=0x557ed6d62074 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=23797 auid=unset uid=qemu gid=qemu euid=qemu suid=qemu fsuid=qemu egid=qemu sgid=qemu fsgid=qemu tty=(none) ses=unset comm=qemu-kvm exe=/usr/libexec/qemu-kvm subj=system_u:system_r:svirt_t:s0:c475,c934 key=(null) type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc: denied { open } for pid=23797 comm=qemu-kvm path=/proc/sys/vm/max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1 type=AVC msg=audit(04/10/2024 04:54:54.905:788) : avc: denied { read } for pid=23797 comm=qemu-kvm name=max_map_count dev="proc" ino=68303 scontext=system_u:system_r:svirt_t:s0:c475,c934 tcontext=system_u:object_r:sysctl_vm_t:s0 tclass=file permissive=1 Resolves: RHEL-32296
This interface allows a domain to execute crontab and transition to crontab_t domain. Resolves: RHEL-31888
This interface allows a admin domain to execute crontab and transition to admin_crontab_t domain. Resolves: RHEL-31888
Addresses the following error: type=PROCTITLE msg=audit(02/16/2024 05:30:44.450:614) : proctitle=sudo -u user30731 crontab -r type=PATH msg=audit(02/16/2024 05:30:44.450:614) : item=0 name=/bin/crontab inode=589204 dev=fd:00 mode=file,suid,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:crontab_exec_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/16/2024 05:30:44.450:614) : cwd=/home/user30731 type=SYSCALL msg=audit(02/16/2024 05:30:44.450:614) : arch=ppc64le syscall=execve success=no exit=EACCES(Permission denied) a0=0x10034c28b18 a1=0x10034c19408 a2=0x10034c119a0 a3=0x10034c119a0 items=1 ppid=31112 pid=31113 auid=user30731 uid=user30731 gid=user30731 euid=user30731 suid=user30731 fsuid=user30731 egid=user30731 sgid=user30731 fsgid=user30731 tty=pts2 ses=12 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null) type=SELINUX_ERR msg=audit(02/16/2024 05:30:44.450:614) : op=security_compute_sid invalid_context=sysadm_u:sysadm_r:crontab_t:s0-s0:c0.c1023 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:crontab_exec_t:s0 tclass=process Resolves: RHEL-31888
So far, only /dev/mmcblk.* block devices were assigned that label. This commit adds the label for character device for the RPMB (Replay Protected Memory Block) standard. Resolves: RHEL-28080
Bootupd is a small socket activated program that takes care of updating the bootloader. Resolves: RHEL-22172
Resolves: RHEL-22172
The commit addresses the following AVC denial: type=PROCTITLE msg=audit(06/27/2023 19:22:31.060:6277) : proctitle=/usr/libexec/bootupd daemon -v type=PATH msg=audit(06/27/2023 19:22:31.060:6277) : item=0 name=/boot/efi/EFI inode=1048592 dev=103:03 mode=dir,700 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:dosfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(06/27/2023 19:22:31.060:6277) : arch=x86_64 syscall=openat success=yes exit=7 a0=0x6 a1=0x5602cecb1310 a2=O_RDONLY|O_NOFOLLOW|O_CLOEXEC|O_PATH a3=0x0 items=1 ppid=1 pid=134959 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=bootupd exe=/usr/libexec/bootupd subj=system_u:system_r:bootupd_t:s0 key=(null) type=AVC msg=audit(06/27/2023 19:22:31.060:6277) : avc: denied { search } for pid=134959 comm=bootupd name=/ dev="nvme0n1p3" ino=1 scontext=system_u:system_r:bootupd_t:s0 tcontext=system_u:object_r:dosfs_t:s0 tclass=dir permissive=1 Resolves: RHEL-22172
Resolves: rhbz#2254975 Resolves: RHEL-22173
Resolves: RHEL-22173
Resolves: RHEL-22173
Resolves: RHEL-22173
Resolves: RHEL-22173
The commit addresses the following AVC denial: type=PROCTITLE msg=audit(04/23/2024 18:03:36.617:3479) : proctitle=/usr/bin/numad -i 15 type=SYSCALL msg=audit(04/23/2024 18:03:36.617:3479) : arch=x86_64 syscall=read success=yes exit=169 a0=0x1 a1=0x55cf0c6d4240 a2=0x400 a3=0x0 items=0 ppid=1 pid=3200 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=numad exe=/usr/bin/numad subj=system_u:system_r:numad_t:s0 key=(null) type=AVC msg=audit(04/23/2024 18:03:36.617:3479) : avc: denied { sys_ptrace } for pid=3200 comm=numad capability=sys_ptrace scontext=system_u:system_r:numad_t:s0 tcontext=system_u:system_r:numad_t:s0 tclass=cap_userns permissive=0 Resolves: RHEL-33994
Some fallout in openshift/os#1514. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.