packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-xenstored-change-its-hard-resource-limits.patch
lujie42 8f5a7284a7 update upstream patches
2022-11-28 10:41:07 +08:00

33 lines
1.6 KiB
Diff
Raw Blame History

From ad912918e04aefd676e3a2772d7252a978652695 Mon Sep 17 00:00:00 2001
From: Zdenek Pytela <zpytela@redhat.com>
Date: Mon, 26 Sep 2022 15:00:49 +0200
Subject: [PATCH] Allow xenstored change its hard resource limits
Addresses the following AVC denial:
type=PROCTITLE msg=audit(09/23/2022 14:49:28.646:155) : proctitle=prlimit --nofile=1073741816 /usr/sbin/xenstored --pid-file /var/run/xen/xenstored.pid
type=SYSCALL msg=audit(09/23/2022 14:49:28.646:155) : arch=x86_64 syscall=prlimit64 success=no exit=EACCES(Permission denied) a0=0x0 a1=0x7 a2=0x55fa676e15b0 a3=0x0 items=0 ppid=532 pid=536 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=prlimit exe=/usr/bin/prlimit subj=system_u:system_r:xenstored_t:s0 key=(null)
type=AVC msg=audit(09/23/2022 14:49:28.646:155) : avc: denied { setrlimit } for pid=536 comm=prlimit scontext=system_u:system_r:xenstored_t:s0 tcontext=system_u:system_r:xenstored_t:s0 tclass=process permissive=0
Resolves: rhbz#2125693
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/xen.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/contrib/xen.te b/policy/modules/contrib/xen.te
index bbda6032b..6e1e83b4d 100644
--- a/policy/modules/contrib/xen.te
+++ b/policy/modules/contrib/xen.te
@@ -423,6 +423,7 @@ optional_policy(`
#
allow xenstored_t self:capability { dac_read_search ipc_lock sys_resource };
+allow xenstored_t self:process setrlimit;
allow xenstored_t self:unix_stream_socket create_stream_socket_perms;
allow xenstored_t self:unix_dgram_socket create_socket_perms;
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink