Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

C10s build 20250108 #2509

Merged
merged 5 commits into from
Jan 8, 2025
Merged

C10s build 20250108 #2509

merged 5 commits into from
Jan 8, 2025

Conversation

zpytela
Copy link
Contributor

@zpytela zpytela commented Jan 8, 2025

No description provided.

zpytela added 5 commits January 8, 2025 16:07
@zpytela
Dontaudit request-key read /etc/passwd
8ed37ee 
Resolves: RHEL-71490
@zpytela
Add the auth_dontaudit_read_passwd_file() interface
69ae7de 
Resolves: RHEL-71490
@zpytela
Allow virtqemud send a generic signal to the ssh client domain
afd58d7 
This is a partial update to the previous commit 477e0bd ("Support
virt live migration using ssh") which incorectly allowed the permission
to the ssh server.

The commit addresses the following AVC denial:
type=AVC msg=audit(1736307102.011:826): avc:  denied  { signal } for  pid=2370 comm="virtqemud" scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:system_r:ssh_t:s0 tclass=process permissive=1

Resolves: RHEL-53972
@zpytela
Allow login_userdomain getattr nsfs files
4a4e5a6 
Similar to 3023aa8 ("Allow systemd-related domains getattr nsfs
files") and follow-up commits, the same permission is needed for the
systemd user instance, running in the user context.

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(01/07/2025 18:55:46.084:26366) : proctitle=systemd-tmpfiles --user --create --remove --boot
type=PATH msg=audit(01/07/2025 18:55:46.084:26366) : item=0 name=/proc/self/ns/pid inode=4026531836 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(01/07/2025 18:55:46.084:26366) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffc89d3c6a0 a2=0x7ffc89d3c6c0 a3=0x0 items=1 ppid=471876 pid=471884 auid=user7401 uid=user7401 gid=user7401 euid=user7401 suid=user7401 fsuid=user7401 egid=user7401 sgid=user7401 fsgid=user7401 tty=(none) ses=765 comm=systemd-tmpfile exe=/usr/bin/systemd-tmpfiles subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(01/07/2025 18:55:46.084:26366) : avc:  denied  { getattr } for

Resolves: RHEL-72549
@zpytela
Confine systemd system-ssh-generator
941e159 
Resolves: RHEL-72549
@zpytela zpytela force-pushed the c10s-build-20250108 branch from a310c63 to 941e159 Compare January 8, 2025 15:39
@zpytela zpytela merged commit 3ae9a5e into fedora-selinux:c10s Jan 8, 2025
1 of 4 checks passed
@zpytela zpytela deleted the c10s-build-20250108 branch January 8, 2025 15:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@zpytela