packages/selinux-policy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
selinux-policy/backport-Allow-pcp-pmcd-search-tracefs-and-acct_data-dirs.patch
lujie42 8f5a7284a7 update upstream patches
2022-11-28 10:41:07 +08:00

78 lines
2.6 KiB
Diff
Raw Blame History

From b821da04f48bfc97b4e214df7e17326df0c5ed7a Mon Sep 17 00:00:00 2001
From: Nikola Knazekova <nknazeko@redhat.com>
Date: Tue, 6 Sep 2022 15:19:59 +0200
Subject: [PATCH] Allow pcp pmcd search tracefs and acct_data dirs
Allow Performance Metrics Domain Agent (PMDA) search accesses on the directory /sys/kernel/tracing.
Addresses the following AVC denial:
type=AVC msg=audit(1642589553.515:244): avc: denied { search } for pid=2039 comm="pmdakvm" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:tracefs_t:s0 tclass=dir permissive=0
Resolves: bz#2041845
Allow pmdaproc search accesses on the directory /var/account.
Add interface to allow search process accounting data.
Addresses the following AVC denial:
type=AVC msg=audit(1642589553.499:243): avc: denied { search } for pid=2036 comm="pmdaproc" name="account" dev="sdf1" ino=9175045 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:acct_data_t:s0 tclass=dir permissive=0
Resolves: bz#2041843
Signed-off-by: lujie42 <lujie54@huawei.com>
---
policy/modules/contrib/acct.if | 18 ++++++++++++++++++
policy/modules/contrib/pcp.te | 5 +++++
2 files changed, 23 insertions(+)
diff --git a/policy/modules/contrib/acct.if b/policy/modules/contrib/acct.if
index bc4038b45..86dcc1d5f 100644
--- a/policy/modules/contrib/acct.if
+++ b/policy/modules/contrib/acct.if
@@ -60,6 +60,24 @@ interface(`acct_exec_data',`
can_exec($1, acct_data_t)
')
+########################################
+## <summary>
+## Search process accounting data.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`acct_search_data',`
+ gen_require(`
+ type acct_data_t;
+ ')
+
+ search_dirs_pattern($1, acct_data_t, acct_data_t)
+')
+
########################################
## <summary>
## Create, read, write, and delete
diff --git a/policy/modules/contrib/pcp.te b/policy/modules/contrib/pcp.te
index 66200d46f..920456afc 100644
--- a/policy/modules/contrib/pcp.te
+++ b/policy/modules/contrib/pcp.te
@@ -146,6 +146,7 @@ fs_getattr_all_dirs(pcp_pmcd_t)
fs_list_cgroup_dirs(pcp_pmcd_t)
fs_read_cgroup_files(pcp_pmcd_t)
fs_read_nfsd_files(pcp_pmcd_t)
+fs_search_tracefs_dirs(pcp_pmcd_t)
init_read_utmp(pcp_pmcd_t)
@@ -159,6 +160,10 @@ storage_raw_read_fixed_disk(pcp_pmcd_t)
userdom_read_user_tmp_files(pcp_pmcd_t)
userdom_manage_unpriv_user_semaphores(pcp_pmcd_t)
+optional_policy(`
+ acct_search_data(pcp_pmcd_t)
+')
+
optional_policy(`
cron_read_pid_files(pcp_pmcd_t)
')
--
2.27.0
Reference in New Issue View Git Blame Copy Permalink