| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
| |
Signed-off-by: Nicolas PARLANT <nicolas.parlant@parhuet.fr>
Closes: https://github.com/gentoo/hardened-refpolicy/pull/3
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: nisbet-hubbard <87453615+nisbet-hubbard@users.noreply.github.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When fapolicyd is configured with allow_filesystem_mark = 1 it watches filesysems and mount points
When fapolicyd is configured with integrituy = sha256 it mmaps files to perform hash
node=localhost type=AVC msg=audit(1726153668.013:418): avc: denied { watch } for pid=1561 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
node=localhost type=AVC msg=audit(1726154081.718:403): avc: denied { watch } for pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1
node=localhost type=AVC msg=audit(1726154081.718:403): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/" dev="dm-1" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:root_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.718:402): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/dev/shm" dev="tmpfs" ino=1 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.721:404): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/boot" dev="sda2" ino=128 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:boot_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154081.722:406): avc: denied { watch_sb } for pid=1598 comm="fapolicyd" path="/var" dev="dm-9" ino=2 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:var_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1726154706.227:415): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/bin/kmod" dev="dm-1" ino=14600 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:kmod_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154743.367:999): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/lib/systemd/systemd" dev="dm-1" ino=17564 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:init_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154743.403:1030): avc: denied { map } for pid=1594 comm="fapolicyd" path="/usr/bin/bash" dev="dm-1" ino=3571 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:shell_exec_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1726154807.975:476): avc: denied { map } for pid=1599 comm="fapolicyd" path="/usr/lib/systemd/user-environment-generators/30-systemd-environment-d-generator" dev="dm-1" ino=17589 scontext=system_u:system_r:fapolicyd_t:s0 tcontext=system_u:object_r:systemd_generator_exec_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
avc: denied { read } for pid=463 comm="systemd-hostnam" name="vsock"
dev="devtmpfs" ino=170 scontext=system_u:system_r:systemd_hostnamed_t:s0-s15:c0.c1023
tcontext=system_u:object_r:vsock_device_t:s0 tclass=chr_file permissive=0
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
avc: denied { getattr } for pid=121 comm="systemd-ssh-gen"
path="/usr/sbin/sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1
avc: denied { execute } for pid=121 comm="systemd-ssh-gen"
name="sshd" dev="vda" ino=7787
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:sshd_exec_t tclass=file permissive=1
avc: denied { create } for pid=121 comm="systemd-ssh-gen"
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:system_r:systemd_generator_t tclass=vsock_socket
permissive=1
avc: denied { read } for pid=121 comm="systemd-ssh-gen" name="vsock"
dev="devtmpfs" ino=152 scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
avc: denied { open } for pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
avc: denied { ioctl } for pid=121 comm="systemd-ssh-gen"
path="/dev/vsock" dev="devtmpfs" ino=152 ioctlcmd=0x7b9
scontext=system_u:system_r:systemd_generator_t
tcontext=system_u:object_r:device_t tclass=chr_file permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
Vsock is a Linux socket family designed to allow communication between a
VM and its hypervisor. Add a new label vsock_device_t for vsock device.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The systemd-nsresourced service was added in systemd v256[1]. Add policy
for this service and allow all domains to connect to it over unix
socket.
Fixes:
avc: denied { connectto } for pid=325 comm="avahi-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:avahi_t tcontext=system_u:system_r:initrc_t
tclass=unix_stream_socket permissive=1
avc: denied { write } for pid=327 comm="dbus-daemon"
name="io.systemd.NamespaceResource" dev="tmpfs" ino=54
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:object_r:init_runtime_t tclass=sock_file permissive=1
avc: denied { connectto } for pid=327 comm="dbus-daemon"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:system_dbusd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
avc: denied { connectto } for pid=200 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
avc: denied { connectto } for pid=198 comm="systemd-userwor"
path="/run/systemd/io.systemd.NamespaceResource"
scontext=system_u:system_r:systemd_userdbd_t
tcontext=system_u:system_r:initrc_t tclass=unix_stream_socket
permissive=1
[1] https://github.com/systemd/systemd/commit/8aee931e7ae1adb01eeac0e1e4c0aef6ed3969ec
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
avc: denied { create } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { getopt } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { setopt } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { bind } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { getattr } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { write } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { nlmsg_read } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { read } for pid=373 comm="systemd"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=netlink_route_socket
permissive=1
avc: denied { sendto } for pid=378 comm="(ystemctl)"
scontext=root:sysadm_r:sysadm_systemd_t
tcontext=root:sysadm_r:sysadm_systemd_t tclass=unix_dgram_socket
permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
avc: denied { create } for pid=344 comm="systemd-network"
name="io.systemd.Network" scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:systemd_networkd_runtime_t tclass=sock_file
permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes:
avc: denied { read } for pid=344 comm="systemd-network"
path="/var/lib/systemd/network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1
avc: denied { write } for pid=344 comm="systemd-network"
name="network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1
avc: denied { getattr } for pid=344 comm="systemd-network"
path="/var/lib/systemd/network" dev="vda" ino=30708
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:init_var_lib_t tclass=dir permissive=1
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Guido Trentalancia <guido@trentalancia.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
bluetooth contexts when Gatt notifications are turned on by remote.
Below are the avc denials that are resolved -
1. AVC avc: denied { use } for pid=916 comm="dbus-daemon"
path="socket:[71126]" dev="sockfs" ino=71126
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=fd permissive=0
2. AVC avc: denied { read write } for pid=913 comm="dbus-daemon"
path="socket:[25037]" dev="sockfs" ino=25037
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
3. AVC avc: denied { use } for pid=910 comm="bluetoothd"
path="socket:[23966]" dev="sockfs" ino=23966
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=fd permissive=0
4. AVC avc: denied { read write } for pid=2229 comm="bluetoothd"
path="socket:[27264]" dev="sockfs" ino=27264
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
For pod health checks.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
There are cases where one may want to mount certs on the host into a
container.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
container_kvm_t is the type for containers with access to KVM for
running virtual machines.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
When multus creates a new network, iptables rules get written to /tmp
and iptables will be called to load them.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
Seen on a recent update to Cilium.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
When kubelet sets up a container that 1) has mountpoints using subPath
directories and 2) has a volume that is newly provisioned and not yet
relabeled, kubelet will create the mountpoint directories on this volume
before relabeling it. Allow kubelet to create these directories.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
Allow haproxy to be run interactively, e.g. to test its config file and
report errors.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
Containers created via quadlet become runtime units. Podman auto-update
can still restart these, but it needs the appropriate access.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
The nftables program reads files in /usr/share/iproute2.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
It is a USB Gadget config pseudo-FS, not a network nor distributed FS
Signed-off-by: Dmitry Sharshakov <d3dx12.xx@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
Make xdg optional to avoid a potential build error.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
OpenSSH 9.8 splits out much of the session code from the main sshd
binary into a new sshd-session binary. Allow the sshd server to execute
this binary by labeling it as sshd_exec_t.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Required for fixing the below avc denials -
1. audit: type=1400 audit(1651238006.276:496):
avc: denied { read write } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
2. audit: type=1400 audit(1651238006.276:497):
avc: denied { getattr } for pid=2165 comm="bluetoothd"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
3. audit: type=1400 audit(1651238006.272:495):
avc: denied { read write } for pid=689 comm="dbus-daemon"
path="socket:[43207]" dev="sockfs" ino=43207
scontext=system_u:system_r:system_dbusd_t:s0-s15:c0.c1023
tcontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=1
4. audit[1894]: AVC avc: denied { read write } for pid=1894
comm="bluetoothctl" path="/dev/pts/0" dev="devpts" ino=3
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:object_r:initrc_devpts_t:s0
tclass=chr_file permissive=0
5. audit[2022]: AVC avc: denied { use } for pid=2022
comm="bluetoothctl" path="socket:[25769]" dev="sockfs" ino=25769
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=fd permissive=0
6. audit[2006]: AVC avc: denied { read write } for pid=2006
comm="bluetoothctl" path="socket:[21106]" dev="sockfs" ino=21106
scontext=system_u:system_r:bluetooth_helper_t:s0-s15:c0.c1023
tcontext=system_u:system_r:bluetooth_t:s0-s15:c0.c1023
tclass=unix_stream_socket permissive=0
Signed-off-by: Naga Bhavani Akella <quic_nakella@quicinc.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
pulseaudio uses bluetooth sockets for HFP-AG and
HSP-HS profile to do SLC and SCO connection with
remote.
avc: denied { create } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { bind } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { listen } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { accept } for pid=1271 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { getopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { setopt } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { read } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { write } for pid=1271 comm="bluetooth" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { shutdown } for pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
avc: denied { connect } for pid=137606 comm="pulseaudio" scontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tcontext=system_u:system_r:pulseaudio_t:s0-s15:c0.c1023 tclass=bluetooth_socket permissive=1
Signed-off-by: Raghavender Reddy Bujala <quic_rbujala@quicinc.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before the patch:
root@qemux86-64:~# ls -lZ /etc/security/opasswd
-?????????? ? ? ? ? ? ? /etc/security/opasswd
After the patch:
root@qemux86-64:~# ls -lZ /etc/security/opasswd
-rw-------. 1 root root user_u:object_r:shadow_history_t 237 Jun 30 12:03 /etc/security/opasswd
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
For NFS mounts.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
type=AVC msg=audit(1719451104.395:18364): avc: denied { watch } for pid=288883 comm="deliver" path="/var/spool/mail/domains/concord.sh/me@concord.sh/mail/dovecot-uidlist.lock" dev="dm-0" ino=17638966 scontext=system_u:system_r:postfix_pipe_t:s0 tcontext=system_u:object_r:mail_spool_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
| |
ping will check whether IPv6 is disabled.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
| |
Commit 4e7511f4a previously added access for init to use DBUS system bus
file descriptors while the intended access was for pidfds. Add an
interface for pidfd usage so that when pidfds are eventually handled
separately from regular fds, this interface can be adjusted.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
sudo sends a SIGWINCH to child processes when invoked. If an
administrator uses sudo in the fashion of "sudo su - root", sudo will
send a signal to the corresponding su process.
type=PROCTITLE msg=audit(1715721229.386:293930): proctitle=7375646F007375002D00726F6F74
type=SYSCALL msg=audit(1715721229.386:293930): arch=c000003e syscall=62 success=no exit=-13 a0=ffcaa72d a1=1c a2=0 a3=795615bb49d0 items=0 ppid=3496128 pid=3496140 auid=1000 uid=1000 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=14 comm="sudo" exe="/usr/bin/sudo" subj=staff_u:staff_r:staff_sudo_t:s0 key=(null)
type=AVC msg=audit(1715721229.386:293930): avc: denied { signal } for pid=3496140 comm="sudo" scontext=staff_u:staff_r:staff_sudo_t:s0 tcontext=staff_u:sysadm_r:sysadm_su_t:s0 tclass=process permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
ip wants to read files in /usr/share/iproute2.
type=AVC msg=audit(1715785441.968:297208): avc: denied { read } for pid=3559095 comm="ip" name="group" dev="dm-1" ino=1075055 scontext=staff_u:sysadm_r:ifconfig_t:s0 tcontext=system_u:object_r:usr_t:s0 tclass=file permissive=0
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
This is to avoid a long timeout in pam_systemd when logging on. This is
the second half of the fix described in
ddc6ac493cef7bb64c3d1904b2c660f61b931f59.
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: freedom1b2830 <freedom1b2830@gmail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|