Closed naokitnk closed 4 months ago
@naokitnk I see the denial was caught in selinux enforcing, is getattr sufficient?
@naokitnk I see the denial was caught in selinux enforcing, is getattr sufficient?
Yes, getattr is sufficient. No further related denials are observed once that permission is granted.
Thank you, merging.
Need to allow cgred_t to get attributes of cgroup filesystems as libcgroup package adds support for systemd.
FYI, below is the denial this commit addresses:
type=AVC msg=audit(1704959348.276:880): avc: denied { getattr } for pid=4938 comm="cgrulesengd" name="/" dev="cgroup" ino=1 scontext=system_u:system_r:cgred_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
This is observed with libcgroup v3.1.0, which added support for systemd:
https://github.com/libcgroup/libcgroup/tree/release-3.1