C9s build 20241213 #2485
Merged
C9s build 20241213 #2485
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In RHEL 9, file context specifications still need to be based on /var/run path to match the existing "/run = /var/run" equivalency rule.
This permission is needed when a vm needs raw access to SCSI disks. libvirt explicitly grants the qemu process CAP_SYS_RAWIO only if it has a disk with the property enabled in the definition and otherwise a qemu process started by libvirt will not have that capability. Note the previous commit 181dc5c ("Allow svirt_t the sys_rawio capability") allowed the permission actually to the svirt_tcg_t domain. Resolves: RHEL-56955
This domain is used for confined users, can be also reproduced with
a command like
runcon system_u:system_r:initrc_t:s0 /bin/bash -c "mtr --raw --udp -c 1 127.0.0.1"
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(08/16/2024 05:48:11.897:1396) : proctitle=mtr-packet
type=SOCKADDR msg=audit(08/16/2024 05:48:11.897:1396) : saddr={ saddr_fam=inet laddr=10.0.187.156 lport=27594 }
type=SYSCALL msg=audit(08/16/2024 05:48:11.897:1396) : arch=x86_64 syscall=bind success=no exit=EACCES(Permission denied) a0=0x4 a1=0x55e39d06b348 a2=0x10 a3=0x7ffcece8df10 items=0 ppid=93106 pid=93130 auid=user7066 uid=user7066 gid=user7066 euid=user7066 suid=user7066 fsuid=user7066 egid=user7066 sgid=user7066 fsgid=user7066 tty=pts2 ses=13 comm=mtr-packet exe=/usr/sbin/mtr-packet subj=user_u:user_r:traceroute_t:s0 key=(null)
type=AVC msg=audit(08/16/2024 05:48:11.897:1396) : avc: denied { name_bind } for pid=93130 comm=mtr-packet src=27594 scontext=user_u:user_r:traceroute_t:s0 tcontext=system_u:object_r:unreserved_port_t:s0 tclass=rawip_socket permissive=0
Resolves: RHEL-54561
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(12/11/2024 02:40:01.248:253) : proctitle=/usr/sbin/irqbalance
type=SYSCALL msg=audit(12/11/2024 02:40:01.248:253) : arch=x86_64 syscall=prctl success=no exit=EPERM(Operation not permitted) a0=PR_CAPBSET_DROP a1=chown a2=0x0 a3=0x0 items=0 ppid=1 pid=70658 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=irqbalance exe=/usr/sbin/irqbalance subj=system_u:system_r:irqbalance_t:s0 key=(null)
type=AVC msg=audit(12/11/2024 02:40:01.248:253) : avc: denied { setpcap } for pid=70658 comm=irqbalance capability=setpcap scontext=system_u:system_r:irqbalance_t:s0 tcontext=system_u:system_r:irqbalance_t:s0 tclass=cap_userns permissive=0
Resolves: RHEL-69564
The commit addresses the following AVC denial:
PROCTITLE msg=audit(22.10.2024 22:04:46.449:3240) : proctitle=/usr/sbin/rpc.statd
type=AVC msg=audit(22.10.2024 22:04:46.449:3240) : avc: denied { search } for pid=328102 comm=rpc.statd name=net dev="proc" ino=8508325 scontext=system_u:system_r:rpcd_t:s0 tcontext=system_u:object_r:sysctl_net_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(10/22/2024 16:04:46.449:3240) : arch=aarch64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0xffffed7f78b0 a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=0 ppid=1 pid=328102 auid=unset uid=unknown(29) gid=unknown(29) euid=unknown(29) suid=unknown(29) fsuid=unknown(29) egid=unknown(29) sgid=unknown(29) fsgid=unknown(29) tty=(none) ses=unset comm=rpc.statd exe=/usr/sbin/rpc.statd subj=system_u:system_r:rpcd_t:s0 key=(null)
Resolves: RHEL-1558
After joining container namespace, the sd-parse-elf process wants to drop privileges (i.e. switch under systemd-resolve user) and as part of that process it calls the getpwnam() function. When /etc/nsswitch.conf in container has 'systemd' in passwd and group entries, that causes glibc to try to load that module. However, it is not loading (i.e. trying to create executable mapping of underlying .so file) the module from rootfs but from container and because coredumpt_t doesn't not have execute permission in container_t files we get AVC denial. Resolves: RHEL-46339
Until now, just allow rule to read was present, not giving the search access to the parent directory. Resolves: RHEL-69517
When restarting the audit service using "service auditd restart" from a
custom service (e.g. an automation service), the auditctl --signal stop
command may wait forever for auditd response, which never comes because
auditd didn't receive the SIGTERM event at all.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(11/26/2024 09:41:41.369:168901) : proctitle=/sbin/auditctl --signal stop
type=SYSCALL msg=audit(11/26/2024 09:41:41.369:168901) : arch=x86_64 syscall=pidfd_send_signal success=no exit=EACCES(Permission denied) a0=0x4 a1=0xf a2=0x0 a3=0x0 items=0 ppid=6984 pid=6987 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=auditctl exe=/usr/sbin/auditctl subj=system_u:system_r:auditctl_t:s0 key=(null)
type=AVC msg=audit(11/26/2024 09:41:41.369:168901) : avc: denied { signal } for pid=6987 comm=auditctl scontext=system_u:system_r:auditctl_t:s0 tcontext=system_u:system_r:auditd_t:s0 tclass=process permissive=0
Resolves: RHEL-68969
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.