From aa453b23dda7346c05810114444285a41b08b6e2 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Thu, 14 Nov 2024 20:58:40 +0100 Subject: [PATCH 1/3] Allow chronyd read networkmanager's pid files The commit addresses the following AVC denial: type=AVC msg=audit(1717458744.849:161): avc: denied { getattr } for pid=1487 comm="chronyd" path="/run/NetworkManager/no-stub-resolv.conf" dev="tmpfs" ino=2481 scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:object_r:NetworkManager_var_run_t:s0 tclass=file permissive=0 Resolves: rhbz#2290310 --- policy/modules/contrib/chronyd.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/chronyd.te b/policy/modules/contrib/chronyd.te index 9d4917c1f4..37147fb078 100644 --- a/policy/modules/contrib/chronyd.te +++ b/policy/modules/contrib/chronyd.te @@ -163,6 +163,10 @@ optional_policy(` gpsd_rw_shm(chronyd_t) ') +optional_policy(` + networkmanager_read_pid_files(chronyd_t) +') + optional_policy(` virt_read_lib_files(chronyd_t) ') From b24822cc0ab3623d2876d8a8dbd338445c5f3aa1 Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Fri, 15 Nov 2024 18:52:04 +0100 Subject: [PATCH 2/3] Allow tlp the setpgid process permission The commit addresses the following AVC denial: type=AVC msg=audit(14. okt. 2024 09:35:47.580:341) : avc: denied { setpgid } for pid=10546 comm=timeout scontext=system_u:system_r:tlp_t:s0 tcontext=system_u:system_r:tlp_t:s0 tclass=process permissive=0 type=PROCTITLE msg=audit(14. okt. 2024 18:00:35.038:594) : proctitle=timeout 2 flock -x 9 type=SYSCALL msg=audit(14. okt. 2024 18:00:35.038:594) : arch=x86_64 syscall=setpgid success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x10000000000000 items=0 ppid=40368 pid=40408 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=timeout exe=/usr/bin/timeout subj=system_u:system_r:tlp_t:s0 key=(null) Resolves: rhbz#2317893 --- policy/modules/contrib/tlp.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/tlp.te b/policy/modules/contrib/tlp.te index 18b456faa2..1003c5cd30 100644 --- a/policy/modules/contrib/tlp.te +++ b/policy/modules/contrib/tlp.te @@ -23,6 +23,7 @@ systemd_unit_file(tlp_unit_file_t) # tlp local policy # allow tlp_t self:capability { net_admin setgid setuid sys_admin sys_rawio }; +allow tlp_t self:process setpgid; allow tlp_t self:unix_stream_socket create_stream_socket_perms; allow tlp_t self:udp_socket create_socket_perms; allow tlp_t self:unix_dgram_socket create_socket_perms; From 74782e009c561aafbca817fa5cc54584f07efe4b Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Tue, 21 Jan 2025 13:14:29 +0100 Subject: [PATCH 3/3] Allow nfsidmap connect to systemd-homed over a unix socket The commit addresses the following AVC denial: type=AVC msg=audit(1730526325.738:1384): avc: denied { connectto } for pid=30373 comm="nfsidmap" path="/run/systemd/userdb/io.systemd.Home" scontext=system_u:system_r:nfsidmap_t:s0 tcontext=system_u:system_r:systemd_homed_t:s0 tclass=unix_stream_socket permissive=0 Resolves: rhbz#2323363 --- policy/modules/contrib/rpc.te | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/contrib/rpc.te b/policy/modules/contrib/rpc.te index 1bf25c41bd..1b0cdff103 100644 --- a/policy/modules/contrib/rpc.te +++ b/policy/modules/contrib/rpc.te @@ -479,3 +479,7 @@ optional_policy(` systemd_machined_stream_connect(nfsidmap_t) systemd_userdbd_stream_connect(nfsidmap_t) ') + +optional_policy(` + systemd_homed_stream_connect(nfsidmap_t) +')