search

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline
GNU General Public License v2.0
156 stars 157 forks source link

Allow systemd-networkd write files in /var/lib/systemd/network #2206

Open zpytela opened 3 days ago

zpytela commented 3 days ago

The commit addresses the following AVC denial: type=PROCTITLE msg=audit(06/28/2024 22:15:26.391:6401) : proctitle=/usr/lib/systemd/systemd-networkd type=PATH msg=audit(06/28/2024 22:15:26.391:6401) : item=0 name=/proc/self/fd/20 inode=2131 dev=00:25 mode=dir,755 ouid=systemd-network ogid=systemd-network rdev=00:00 obj=system_u:object_r:systemd_networkd_var_lib_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(06/28/2024 22:15:26.391:6401) : arch=x86_64 syscall=access success=no exit=EACCES(Permission denied) a0=0x7ffea97360e0 a1=W_OK a2=0x0 a3=0x0 items=1 ppid=1 pid=255124 auid=unset uid=systemd-network gid=systemd-network euid=systemd-network suid=systemd-network fsuid=systemd-network egid=systemd-network sgid=systemd-network fsgid=systemd-network tty=(none) ses=unset comm=systemd-network exe=/usr/lib/systemd/systemd-networkd subj=system_u:system_r:systemd_networkd_t:s0 key=(null) type=AVC msg=audit(06/28/2024 22:15:26.391:6401) : avc: denied { write } for pid=255124 comm=systemd-network name=network dev="nvme0n1p4" ino=2131 scontext=system_u:system_r:systemd_networkd_t:s0 tcontext=system_u:object_r:systemd_networkd_var_lib_t:s0 tclass=dir permissive=0