search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
164 stars 163 forks source link

Allow nvme_stas_t create and use netlink kobject uevent socket #1972

Closed zpytela closed 9 months ago

zpytela commented 9 months ago

Some permissions were allowed, but not all for stafd be able to use the netlink class socket from the kobject uevent family.

The commit addresses the following AVC denial: type=PROCTITLE msg=audit(12/14/2023 03:16:43.776:934) : proctitle=/usr/bin/python3 /usr/sbin/stafd --syslog type=SYSCALL msg=audit(12/14/2023 03:16:43.776:934) : arch=x86_64 syscall=getsockopt success=no exit=EACCES(Permission denied) a0=0x3 a1=SOL_SOCKET a2=SO_RCVBUF a3=0x7ffcc7b7384c items=0 ppid=1 pid=14412 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=stafd exe=/usr/bin/python3.12 subj=system_u:system_r:nvme_stas_t:s0 key=(null) type=AVC msg=audit(12/14/2023 03:16:43.776:934) : avc: denied { getopt } for pid=14412 comm=stafd scontext=system_u:system_r:nvme_stas_t:s0 tcontext=system_u:system_r:nvme_stas_t:s0 tclass=netlink_kobject_uevent_socket permissive=0

packit-as-a-service[bot] commented 9 months ago

Cockpit tests failed for commit 5f30da18da7c07735ac84fda6321a0a19e47715a. @martinpitt, @jelly, @mvollmer please check.

pitti: unrelated, some race condition in dnf-automatic. Retried.