C10s 20241213 build #2487
Merged
C10s 20241213 build #2487
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Until now, just allow rule to read was present, not giving the search access to the parent directory. Resolves: RHEL-69512
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/09/2024 07:56:26.551:600) : proctitle=/usr/sbin/virtqemud --timeout 120
type=PATH msg=audit(10/09/2024 07:56:26.551:600) : item=1 name=/dev/pts/1 inode=4 dev=00:19 mode=character,620 ouid=qemu ogid=tty rdev=88:01 obj=system_u:object_r:svirt_devpts_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(10/09/2024 07:56:26.551:600) : item=0 name=/dev/pts/ inode=1 dev=00:19 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:devpts_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(10/09/2024 07:56:26.551:600) : arch=x86_64 syscall=openat success=yes exit=23 a0=AT_FDCWD a1=0x7fbd64009210 a2=O_RDWR|O_CREAT|O_NOCTTY a3=0x0 items=2 ppid=1 pid=6186 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=rpc-virtqemud exe=/usr/sbin/virtqemud subj=system_u:system_r:virtqemud_t:s0 key=(null)
type=AVC msg=audit(10/09/2024 07:56:26.551:600) : avc: denied { open } for pid=6186 comm=rpc-virtqemud path=/dev/pts/1 dev="devpts" ino=4 scontext=system_u:system_r:virtqemud_t:s0 tcontext=system_u:object_r:svirt_devpts_t:s0 tclass=chr_file permissive=1
Resolves: RHEL-43446
SSSD is being reworked [1] to not rely on effective capabilities but to raise a permitted capability when needed, and drop it completely when not needed anymore. [1] SSSD/sssd#7731 The commit addresses the following AVC denial: type=AVC msg=audit(1733309927.245:4711): avc: denied { setcap } for pid=43967 comm="selinux_child" scontext=system_u:system_r:sssd_selinux_manager_t:s0 tcontext=system_u:system_r:sssd_selinux_manager_t:s0 tclass=process permissive=1 type=SYSCALL msg=audit(1733309927.245:4711): arch=c000003e syscall=126 success=yes exit=0 a0=55795759750c a1=557957597514 a2=557957597514 a3=80 items=0 ppid=41662 pid=43967 auid=4294967295 uid=990 gid=986 euid=990 suid=990 fsuid=990 egid=986 sgid=986 fsgid=986 tty=(none) ses=4294967295 comm="selinux_child" exe="/usr/libexec/sssd/selinux_child" subj=system_u:system_r:sssd_selinux_manager_t:s0 key=(null)ARCH=x86_64 SYSCALL=capset AUID="unset" UID="sssd" GID="sssd" EUID="sssd" SUID="sssd" FSUID="sssd" EGID="sssd" SGID="sssd" FSGID="sssd" type=CAPSET msg=audit(1733309927.245:4711): pid=43967 cap_pi=0000000000000080 cap_pp=00000000000000c0 cap_pe=0000000000000080 cap_pa=0 Resolves: RHEL-70822
zpytela
force-pushed
the
c10s-20241213-build
branch
from
7d0f0a4 to
9f0f8fe
Compare
Resolves: RHEL-70850
Resolves: RHEL-70850
zpytela
force-pushed
the
c10s-20241213-build
branch
from
038088b to
981f498
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.