Misc updates #828

cgzones · 2024-10-30T14:31:35Z

No description provided.

pebenito

A few minor nits.

Side note: I'd take a patch to add a codespell check in the lint github action, if you're willing.

policy/modules/kernel/files.if

policy/modules/system/systemd.te

policy/modules/system/userdomain.if

Signed-off-by: Christian Göttsche <[email protected]>

type=PROCTITLE msg=audit(28/10/24 14:04:16.969:146) : proctitle=/usr/lib/systemd/system-generators/systemd-ssh-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/genera type=SYSCALL msg=audit(28/10/24 14:04:16.969:146) : arch=x86_64 syscall=socket success=yes exit=4 a0=vsock a1=SOCK_STREAM a2=ip a3=0x7 items=0 ppid=13019 pid=13030 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-ssh-gen exe=/usr/lib/systemd/system-generators/systemd-ssh-generator subj=system_u:system_r:systemd_generator_t:s0 key=(null) type=AVC msg=audit(28/10/24 14:04:16.969:146) : avc: denied { module_request } for pid=13030 comm=systemd-ssh-gen kmod="net-pf-40" scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=1 Signed-off-by: Christian Göttsche <[email protected]>

type=PROCTITLE msg=audit(28/10/24 14:21:43.722:110) : proctitle=/sbin/agetty -o -p -- \u --noclear - linux type=OBJ_PID msg=audit(28/10/24 14:21:43.722:110) : opid=970 oauid=root ouid=root oses=1 obj=system_u:system_r:local_login_t:s0 ocomm=login type=OBJ_PID msg=audit(28/10/24 14:21:43.722:110) : opid=970 oauid=root ouid=root oses=1 obj=system_u:system_r:local_login_t:s0 ocomm=login type=SYSCALL msg=audit(28/10/24 14:21:43.722:110) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x0 a1=TIOCNOTTY a2=0x0 a3=0x8 items=0 ppid=1 pid=970 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=1 comm=login exe=/usr/bin/login subj=system_u:system_r:local_login_t:s0 key=(null) type=AVC msg=audit(28/10/24 14:21:43.722:110) : avc: denied { signal } for pid=970 comm=login scontext=system_u:system_r:local_login_t:s0 tcontext=system_u:system_r:local_login_t:s0 tclass=process permissive=0 Signed-off-by: Christian Göttsche <[email protected]>

Signed-off-by: Christian Göttsche <[email protected]>

SELint reports: haproxy.te: 65: (C): Permissions in av rule not ordered (setuid before setgid) (C-005) container.te: 1012: (C): Permissions in av rule not ordered (setuid before setpcap) (C-005) Signed-off-by: Christian Göttsche <[email protected]>

type=PROCTITLE msg=audit(28/03/24 20:06:02.246:111) : proctitle=sort -V -r type=SYSCALL msg=audit(28/03/24 20:06:02.246:111) : arch=x86_64 syscall=sched_getaffinity success=no exit=EACCES(Permission denied) a0=0x0 a1=0x80 a2=0x7fffcffce4f0 a3=0x7f2e4b437a98 items=0 ppid=5539 pid=5542 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts1 ses=1 comm=sort exe=/usr/bin/sort subj=unconfined_u:unconfined_r:bootloader_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(28/03/24 20:06:02.246:111) : avc: denied { getsched } for pid=5542 comm=sort scontext=unconfined_u:unconfined_r:bootloader_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:bootloader_t:s0-s0:c0.c1023 tclass=process permissive=0 Signed-off-by: Christian Göttsche <[email protected]>

Found by codespell(1). Signed-off-by: Christian Göttsche <[email protected]>

Signed-off-by: Christian Göttsche <[email protected]>

cgzones force-pushed the misc branch from 8f975c6 to 9df4a7c Compare October 30, 2024 14:33

pebenito requested changes Nov 1, 2024

View reviewed changes

policy/modules/kernel/files.if Show resolved Hide resolved

policy/modules/system/systemd.te Outdated Show resolved Hide resolved

policy/modules/system/userdomain.if Outdated Show resolved Hide resolved

cgzones added 12 commits November 5, 2024 20:06

unconfined: permit io_uring access

41f15be

Signed-off-by: Christian Göttsche <[email protected]>

userdomain: include map in userdom_manage_user_home_content_files()

068a673

Signed-off-by: Christian Göttsche <[email protected]>

ssh: label sshd-session helper on Debian

d5b3f5b

Signed-off-by: Christian Göttsche <[email protected]>

kernel: create /dev/vsock with correct context

d8d7e8c

Signed-off-by: Christian Göttsche <[email protected]>

Reorder permissions to please SELint

9d62f67

SELint reports: haproxy.te: 65: (C): Permissions in av rule not ordered (setuid before setgid) (C-005) container.te: 1012: (C): Permissions in av rule not ordered (setuid before setpcap) (C-005) Signed-off-by: Christian Göttsche <[email protected]>

Fix typos

42a3add

Found by codespell(1). Signed-off-by: Christian Göttsche <[email protected]>

policy_capabilities: add stub for userspace_initial_context

566ac0b

Signed-off-by: Christian Göttsche <[email protected]>

validate-appconfig: replace tab indentation by spaces

c08366c

Signed-off-by: Christian Göttsche <[email protected]>

check_fc_files: support trailing optional version number

b300752

Signed-off-by: Christian Göttsche <[email protected]>

cgzones force-pushed the misc branch 2 times, most recently from 1896c03 to 2a3653d Compare November 5, 2024 19:45

github: add codespell check

248f211

Signed-off-by: Christian Göttsche <[email protected]>

cgzones force-pushed the misc branch from 2a3653d to 248f211 Compare November 5, 2024 19:46

pebenito approved these changes Nov 6, 2024

View reviewed changes

pebenito merged commit c6f07fd into SELinuxProject:main Nov 6, 2024
118 checks passed

cgzones deleted the misc branch November 6, 2024 14:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Misc updates #828

Misc updates #828

cgzones commented Oct 30, 2024

pebenito left a comment •

edited

Loading

Misc updates #828

Misc updates #828

Conversation

cgzones commented Oct 30, 2024

pebenito left a comment • edited Loading

Choose a reason for hiding this comment

pebenito left a comment •

edited

Loading