Commit 65b9e0bdceb7e6adbe308f9a591b103cba6986ef implements proper support for anon inodes, however it does not implement support for secretmem anon inode.
This patch adds type transition, so [secretmem] anon inode is always created with secretmem_t type. It also adds an interface allowing create permission on secretmem_t and allows unconfined_domain_type to use it.
zpytela
commented
1 month ago
Commit 65b9e0bdceb7e6adbe308f9a591b103cba6986ef implements proper support for anon inodes, however it does not implement support for secretmem anon inode.
This patch adds type transition, so [secretmem] anon inode is always created with secretmem_t type. It also adds an interface allowing create permission on secretmem_t and allows unconfined_domain_type to use it.
Addresses the following AVCs: type=PROCTITLE msg=audit(03/27/2024 02:54:00.035:4382) : proctitle=stress-ng-resources [run] type=SYSCALL msg=audit(03/27/2024 02:54:00.035:4382) : arch=x86_64 syscall=memfd_secret success=no exit=EACCES(Permission denied) a0=0x0 a1=0x0 a2=0x0 a3=0x0 items=0 ppid=2072 pid=5294 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=stress-ng-resou exe=/usr/bin/stress-ng subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(03/27/2024 02:54:00.035:4382) : avc: denied { create } for pid=5294 comm=stress-ng-resou anonclass=[secretmem] scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode permissive=0
Resolves: rhbz#2270895