-
Notifications
You must be signed in to change notification settings - Fork 172
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
C10s 20241023 build #2406
Merged
Merged
C10s 20241023 build #2406
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resolves: RHEL-62355
The commit addresses the following AVC denial: type=PROCTITLE msg=audit(10/11/2024 15:01:06.998:7494) : proctitle=/usr/libexec/iio-sensor-proxy type=SYSCALL msg=audit(10/11/2024 15:01:06.998:7494) : arch=x86_64 syscall=setsockopt success=yes exit=0 a0=0x7 a1=SOL_SOCKET a2=SO_ATTACH_FILTER a3=0x7ffe8852ca40 items=0 ppid=1 pid=215132 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iio-sensor-prox exe=/usr/libexec/iio-sensor-proxy subj=system_u:system_r:iiosensorproxy_t:s0 key=(null) type=AVC msg=audit(10/11/2024 15:01:06.998:7494) : avc: denied { sys_admin } for pid=215132 comm=iio-sensor-prox capability=sys_admin scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability permissive=0 type=AVC msg=audit(10/11/2024 15:01:06.998:7494) : avc: denied { bpf } for pid=215132 comm=iio-sensor-prox capability=bpf scontext=system_u:system_r:iiosensorproxy_t:s0 tcontext=system_u:system_r:iiosensorproxy_t:s0 tclass=capability2 permissive=0 Resolves: RHEL-62355
Intel(r) Performance Counter Monitor [1] is an application programming interface (API) and a set of tools based on the API to monitor performance and energy metrics of Intel(r) Core(tm), Xeon(r), Atom(tm) and Xeon Phi(tm) processors. PCM works on Linux, Windows, Mac OS X, FreeBSD and DragonFlyBSD operating systems. pcm-sensor-server is a service providing performance counter data over http in JSON or Prometheus. [1] https://github.com/intel/pcm Resolves: RHEL-52838
Resolves: RHEL-61755
The commit addresses the following AVC denial: type=PROCTITLE msg=audit(10/09/2024 03:28:11.980:549) : proctitle=/usr/sbin/lldpad -t type=SOCKADDR msg=audit(10/09/2024 03:28:11.980:549) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 } type=SYSCALL msg=audit(10/09/2024 03:28:11.980:549) : arch=x86_64 syscall=sendmsg success=yes exit=32 a0=0x6 a1=0x7ffc33602210 a2=0x0 a3=0x20000 items=0 ppid=1 pid=25921 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null) type=AVC msg=audit(10/09/2024 03:28:11.980:549) : avc: denied { write } for pid=25921 comm=lldpad scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:lldpad_t:s0 tclass=netlink_generic_socket permissive=1 Resolves: RHEL-61634
The commit addresses the following AVC denial: type=PROCTITLE msg=audit(09/11/2024 05:35:23.841:2235) : proctitle=/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-test -i /run/dirsrv/slapd-test.pid type=SYSCALL msg=audit(09/11/2024 05:35:23.841:2235) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f74651fab60 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=10450 auid=unset uid=dirsrv gid=dirsrv euid=dirsrv suid=dirsrv fsuid=dirsrv egid=dirsrv sgid=dirsrv fsgid=dirsrv tty=(none) ses=unset comm=ns-slapd exe=/usr/sbin/ns-slapd subj=system_u:system_r:dirsrv_t:s0 key=(null) type=AVC msg=audit(09/11/2024 05:35:23.841:2235) : avc: denied { search } for pid=10450 comm=ns-slapd name=net dev="proc" ino=32137 scontext=system_u:system_r:dirsrv_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Resolves: RHEL-58381
Resolves: RHEL-58380
The commit addresses the following AVC denial: type=PROCTITLE msg=audit(02/23/2024 23:59:13.212:1911) : proctitle=/usr/sbin/wdmd --probe type=PATH msg=audit(02/23/2024 23:59:13.212:1911) : item=0 name=/sys/class/watchdog/watchdog0/identity nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(02/23/2024 23:59:13.212:1911) : cwd=/ type=SYSCALL msg=audit(02/23/2024 23:59:13.212:1911) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffce5f5ed10 a2=O_RDONLY a3=0x0 items=1 ppid=182355 pid=182356 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) type=AVC msg=audit(02/23/2024 23:59:13.212:1911) : avc: denied { read } for pid=182356 comm=wdmd name=watchdog0 dev="sysfs" ino=22335 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=0 Resolves: RHEL-57982
The previous 12885bb ("Allow wdmd list the contents of the sysfs directories") commit was not sufficient as apart from reading the /sys/class/watchdog/watchdog0 symlink, reading the /sys/class/watchdog/watchdog0/identity file is also needed. The commit addresses the following AVC denial: type=PROCTITLE msg=audit(02/26/2024 09:44:20.607:565) : proctitle=/usr/sbin/wdmd --probe type=PATH msg=audit(02/26/2024 09:44:20.607:565) : item=0 name=/sys/class/watchdog/watchdog0/identity inode=14577 dev=00:14 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(02/26/2024 09:44:20.607:565) : arch=s390x syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x3ffde0f91a8 a2=O_RDONLY a3=0x0 items=1 ppid=46918 pid=46920 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { open } for pid=46920 comm=wdmd path=/sys/devices/virtual/watchdog/watchdog0/identity dev="sysfs" ino=14577 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { read } for pid=46920 comm=wdmd name=identity dev="sysfs" ino=14577 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { read } for pid=46920 comm=wdmd name=watchdog0 dev="sysfs" ino=14575 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1 Resolves: RHEL-57982
The commit addresses the following AVC denials: type=PROCTITLE msg=audit(09/05/2024 15:02:11.223:415) : proctitle=/usr/sbin/virtqemud --timeout 120 type=PATH msg=audit(09/05/2024 15:02:11.223:415) : item=0 name=/proc/5600/stat inode=16564 dev=00:16 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:system_r:virtd_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(09/05/2024 15:02:11.223:415) : arch=x86_64 syscall=openat success=yes exit=19 a0=AT_FDCWD a1=0x55addb9db960 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=5563 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=prio-rpc-virtqe exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null) type=AVC msg=audit(09/05/2024 15:02:11.223:415) : avc: denied { open } for pid=5563 comm=prio-rpc-virtqe path=/proc/5600/stat dev="proc" ino=16564 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(09/05/2024 15:02:11.223:415) : avc: denied { read } for pid=5563 comm=prio-rpc-virtqe name=stat dev="proc" ino=16564 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=file permissive=1 type=AVC msg=audit(09/05/2024 15:02:11.223:415) : avc: denied { search } for pid=5563 comm=prio-rpc-virtqe name=5600 dev="proc" ino=16560 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:virtd_t:s0-s0:c0.c1023 tclass=dir permissive=1 Resolves: RHEL-57713
Additionally, allow sssd map sssd_var_run_t files. Resolves: RHEL-57065
The current state is the usr_t label for actual executables: $ ls -lZ /usr/bin/npm /usr/lib/node_modules/npm/bin/npm-cli.js lrwxrwxrwx. 1 root root system_u:object_r:bin_t:s0 38 Mar 5 07:14 /usr/bin/npm -> ../lib/node_modules/npm/bin/npm-cli.js -rwxr-xr-x. 1 root root system_u:object_r:lib_t:s0 50 Aug 9 2023 /usr/lib/node_modules/npm/bin/npm-cli.js Resolves: RHEL-56350
The commit addresses the following AVC denial: type=PROCTITLE msg=audit(09/26/2024 02:57:45.290:145) : proctitle=ping -c 3 fqdn type=PATH msg=audit(09/26/2024 02:57:45.290:145) : item=0 name=/proc/sys/net/ipv6/conf/all/disable_ipv6 nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(09/26/2024 02:57:45.290:145) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffd365588a0 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1225 pid=1446 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=ping exe=/usr/bin/ping subj=system_u:system_r:ping_t:s0 key=(null) type=AVC msg=audit(09/26/2024 02:57:45.290:145) : avc: denied { search } for pid=1446 comm=ping name=net dev="proc" ino=2244 scontext=system_u:system_r:ping_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0 Resolves: RHEL-54299
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.