C10s 20241024 build 2 #2412
Merged
C10s 20241024 build 2 #2412
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Note this is lldpd, the ISC-licensed implementation of LLDP.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/24/2024 11:34:00.077:694) : proctitle=/usr/sbin/lldpd -x
type=PATH msg=audit(10/24/2024 11:34:00.077:694) : item=0 name=/run/systemd/userdb/io.systemd.Machine inode=1822 dev=00:1a mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(10/24/2024 11:34:00.077:694) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.Machine }
type=SYSCALL msg=audit(10/24/2024 11:34:00.077:694) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x8 a1=0x7fffe83dfa90 a2=0x29 a3=0x55841122f010 items=1 ppid=1 pid=12880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(10/24/2024 11:34:00.077:694) : avc: denied { connectto } for pid=12880 comm=lldpd path=/run/systemd/userdb/io.systemd.Machine scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
Resolves: RHEL-61634
This permission is required for lldptool to manage the LLDP settings and
status of lldpad from cli.
Note this is for the lldpad daemon from the lldpad package - Intel LLDP Agent.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/24/2024 10:30:16.119:1577) : proctitle=/usr/sbin/lldpad -t
type=SOCKADDR msg=audit(10/24/2024 10:30:16.119:1577) : saddr={ saddr_fam=local path=/com/intel/lldpad/19983 }
type=SYSCALL msg=audit(10/24/2024 10:30:16.119:1577) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffe36c70ef0 a2=0x3 a3=0x0 items=0 ppid=1 pid=19351 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(10/24/2024 10:30:16.119:1577) : avc: denied { sendto } for pid=19351 comm=lldpad path=/com/intel/lldpad/19983 scontext=system_u:system_r:lldpad_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
Resolves: RHEL-61634
Note this is for lldptool and vdptool connecting to the lldpad daemon
from the lldpad package - Intel LLDP Agent.
The commit addresses the following AVC denial example:
type=PROCTITLE msg=audit(10/24/2024 10:22:07.718:854) : proctitle=lldptool -p
type=SOCKADDR msg=audit(10/24/2024 10:22:07.718:854) : saddr={ saddr_fam=local path=/com/intel/lldpad }
type=SYSCALL msg=audit(10/24/2024 10:22:07.718:854) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55c239a95312 a2=0x14 a3=0x0 items=0 ppid=10028 pid=10029 auid=user27128 uid=user27128 gid=user27128 euid=user27128 suid=user27128 fsuid=user27128 egid=user27128 sgid=user27128 fsgid=user27128 tty=pts3 ses=6 comm=lldptool exe=/usr/sbin/lldptool subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/24/2024 10:22:07.718:854) : avc: denied { sendto } for pid=10029 comm=lldptool path=/com/intel/lldpad scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lldpad_t:s0 tclass=unix_dgram_socket permissive=0
Resolves: RHEL-61634
See [RHEL-25605 - AVCs "sys_admin" when executing systemd-notify from a service unit](https://issues.redhat.com/browse/RHEL-25701). Reproducer: 1. Create /etc/systemd/system/repro.service with content below [Service] Type=notify NotifyAccess=all ExecStart=/bin/sh -c "sleep 3; systemd-notify --ready" 2. Reload systemd and start the service # systemctl daemon-reload # systemctl start repro AVC: -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- type=PROCTITLE msg=audit(02/15/2024 10:55:23.848:260) : proctitle=systemd-notify --ready type=SYSCALL msg=audit(02/15/2024 10:55:23.848:260) : arch=x86_64 syscall=sendmsg success=no exit=EPERM(Operation not permitted) a0=0x3 a1=0x7fff3972ed90 a2=MSG_NOSIGNAL a3=0x7fff3972ed14 items=0 ppid=25967 pid=25969 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-notify exe=/usr/bin/systemd-notify subj=system_u:system_r:systemd_notify_t:s0 key=(null) type=AVC msg=audit(02/15/2024 10:55:23.848:260) : avc: denied { sys_admin } for pid=25969 comm=systemd-notify capability=sys_admin scontext=system_u:system_r:systemd_notify_t:s0 tcontext=system_u:system_r:systemd_notify_t:s0 tclass=capability permissive=0 -------- 8< ---------------- 8< ---------------- 8< ---------------- 8< -------- Signed-off-by: Renaud Métrich <[email protected]> Resolves: RHEL-58072
It is actually required to connect to the kernel_t as systemd-userdbd
still runs in the kernel_t domain.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/17/2024 08:14:22.490:1934) : proctitle=journalctl --no-pager --user -u local-notifier
type=PATH msg=audit(10/17/2024 08:14:22.490:1934) : item=0 name=/run/systemd/userdb/io.systemd.DynamicUser inode=48 dev=00:1a mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(10/17/2024 08:14:22.490:1934) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.DynamicUser }
type=SYSCALL msg=audit(10/17/2024 08:14:22.490:1934) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7fffdad19ed0 a2=0x2d a3=0x563c77854010 items=1 ppid=67664 pid=67665 auid=user2043 uid=user2043 gid=user2043 euid=user2043 suid=user2043 fsuid=user2043 egid=user2043 sgid=user2043 fsgid=user2043 tty=pts1 ses=26 comm=journalctl exe=/usr/bin/journalctl subj=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/17/2024 08:14:22.490:1934) : avc: denied { connectto } for pid=67665 comm=journalctl path=/systemd/userdb/io.systemd.DynamicUser scontext=sysadm_u:sysadm_r:journalctl_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
Resolves: RHEL-58072
The denial can be triggered by the following sequence:
grdctl --system vnc enable
grdctl --system rdp enable
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/23/2024 02:51:35.701:987) : proctitle=/usr/libexec/gnome-remote-desktop-daemon --system
type=PATH msg=audit(10/23/2024 02:51:35.701:987) : item=0 name=/etc/gnome-remote-desktop inode=276729 dev=fc:02 mode=dir,755 ouid=gnome-remote-desktop ogid=gnome-remote-desktop rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(10/23/2024 02:51:35.701:987) : arch=x86_64 syscall=inotify_add_watch success=yes exit=2 a0=0x3 a1=0x5620c104b9d0 a2=0x1002fce a3=0x5620c1003010 items=1 ppid=1 pid=3596 auid=unset uid=gnome-remote-desktop gid=gnome-remote-desktop euid=gnome-remote-desktop suid=gnome-remote-desktop fsuid=gnome-remote-desktop egid=gnome-remote-desktop sgid=gnome-remote-desktop fsgid=gnome-remote-desktop tty=(none) ses=unset comm=gnome-remote-de exe=/usr/libexec/gnome-remote-desktop-daemon subj=system_u:system_r:gnome_remote_desktop_t:s0 key=(null)
type=AVC msg=audit(10/23/2024 02:51:35.701:987) : avc: denied { watch } for pid=3596 comm=gnome-remote-de path=/etc/gnome-remote-desktop dev="vda2" ino=276729 scontext=system_u:system_r:gnome_remote_desktop_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=dir permissive=1
Resolves: RHEL-35877
This permission is required when the iolog_dir directive is configured
in the sudoers file for the sudo command input/output log directory.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(11/09/2023 08:46:34.833:368) : proctitle=sudo dmidecode
type=SYSCALL msg=audit(11/09/2023 08:46:34.833:368) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fff7f989ef0 a2=O_RDONLY|O_NONBLOCK a3=0x0 items=0 ppid=4561 pid=29408 auid=sysadm uid=sysadm gid=sysadm euid=root suid=root fsuid=root egid=root sgid=sysadm fsgid=root tty=pts1 ses=8 comm=sudo exe=/usr/bin/sudo subj=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(11/09/2023 08:46:34.833:368) : avc: denied { read } for pid=29408 comm=sudo name=var dev="dm-0" ino=33575046 scontext=sysadm_u:sysadm_r:sysadm_sudo_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=0
Resolves: RHEL-58068
This is a follow-up commit to 41c4218 ("Add support for secretmem anon inode") which allowed the necessary permission to unconfined domain types. This commit allows it also for the sysadm_t domain. Note: Pages allocated with this method can never be swapped out of the physical memory and the system hibernation is blocked as long as any file descriptor created with this method exists, so this permission should be allowed to a very limited set of domains only. Resolves: RHEL-40953
These permissions are requested when new libdnf which implements
handling SELinux file contexts is loaded, but subscription-manager
does not actually need them.
The commit addresses the following AVC denials:
type=PROCTITLE msg=audit(01/15/2024 11:21:17.704:345) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsm-package-profile-uploader --force-upload
type=PATH msg=audit(01/15/2024 11:21:17.704:345) : item=0 name=/etc/selinux/targeted/contexts/files/file_contexts.subs_dist nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(01/15/2024 11:21:17.704:345) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x556739b81090 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=663 pid=5746 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsm-package-pr exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(01/15/2024 11:21:17.704:345) : avc: denied { search } for pid=5746 comm=rhsm-package-pr name=contexts dev="vda1" ino=4128398 scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:object_r:default_context_t:s0 tclass=dir permissive=0
type=PROCTITLE msg=audit(01/15/2024 11:21:17.704:346) : proctitle=/usr/libexec/platform-python /usr/libexec/rhsm-package-profile-uploader --force-upload
type=SYSCALL msg=audit(01/15/2024 11:21:17.704:346) : arch=x86_64 syscall=write success=no exit=EACCES(Permission denied) a0=0x6 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=663 pid=5746 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rhsm-package-pr exe=/usr/libexec/platform-python3.6 subj=system_u:system_r:rhsmcertd_t:s0 key=(null)
type=AVC msg=audit(01/15/2024 11:21:17.704:346) : avc: denied { setfscreate } for pid=5746 comm=rhsm-package-pr scontext=system_u:system_r:rhsmcertd_t:s0 tcontext=system_u:system_r:rhsmcertd_t:s0 tclass=process permissive=0
Resolves: RHEL-58009
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.