Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

systemd v257 tweaks #840

Merged
merged 2 commits into from
Dec 4, 2024
Merged

systemd v257 tweaks #840

merged 2 commits into from
Dec 4, 2024

Conversation

cgzones
Copy link
Contributor

@cgzones cgzones commented Nov 28, 2024

No description provided.

    audit[14480]: AVC avc:  denied  { create } for  pid=14480 comm="systemd-sysuser" name=".#group5f44baae46cc7c1d" scontext=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
systemd v257 started to access various namespace files, e.g.:

    type=PROCTITLE msg=audit(28/11/24 11:14:28.210:154) : proctitle=/usr/lib/systemd/system-generators/systemd-fstab-generator /run/systemd/generator /run/systemd/generator.early /run/systemd/gene
    type=PATH msg=audit(28/11/24 11:14:28.210:154) : item=0 name=/proc/self/ns/cgroup inode=4026531835 dev=00:04 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
    type=CWD msg=audit(28/11/24 11:14:28.210:154) : cwd=/
    type=SYSCALL msg=audit(28/11/24 11:14:28.210:154) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7ffff9715f90 a2=0x7ffff9715fb0 a3=0x0 items=1 ppid=8046 pid=8049 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemd-fstab-g exe=/usr/lib/systemd/system-generators/systemd-fstab-generator subj=system_u:system_r:systemd_generator_t:s0 key=(null)
    type=AVC msg=audit(28/11/24 11:14:28.210:154) : avc:  denied  { getattr } for  pid=8049 comm=systemd-fstab-g path=cgroup:[4026531835] dev="nsfs" ino=4026531835 scontext=system_u:system_r:systemd_generator_t:s0 tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
@pebenito pebenito merged commit de5329e into SELinuxProject:main Dec 4, 2024
118 checks passed
@cgzones cgzones deleted the systemd branch December 5, 2024 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants