search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Allow systemd_fstab_generator_t read tmpfs files #2167

Closed ca-hu closed 2 weeks ago

ca-hu commented 2 weeks ago

Adresses:

Apr 30 14:38:33 localhost kernel: audit: type=1400 audit(1714487912.659:8): avc: denied { read } for pid=485 comm="systemd-fstab-g" name="fstab.extra" dev="tmpfs" ino=2 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0

systemd-credentials allows credenials to be passed over SMBIOS. These SMBIOS values are mounted as tmpfs to /run/credentials/@system and the content is then mounted as directory via the fstab generator. Therefor the fstab generator needs to read the content of the mounted tmpfs file.

Reproducer see: https://bugzilla.suse.com/show_bug.cgi?id=1223599#c4

zpytela commented 2 weeks ago

Merging, thank you.