On Sunday, 2 April 2023 04:15:18 AEST Christian Göttsche wrote: > > Probably due to the usage of the -T flag > > +kernel_read_vm_overcommit_sysctl(setfiles_t)
added > > +dev_read_urand(vnstatd_t) added > Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400 > audit(1680368952.624:6): avc: denied { relabelfrom } for pid=488 > comm="systemd-tmpfile" name="mtab" dev="vda1" ino=261264 > scontext=system_u:system_r:systemd_tmpfiles_t:s0 > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1 > Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400 > audit(1680368952.624:7): avc: denied { relabelto } for pid=488 > comm="systemd-tmpfile" name="mtab" dev="vda1" ino=261264 > scontext=system_u:system_r:systemd_tmpfiles_t:s0 > tcontext=system_u:object_r:etc_t:s0 tclass=lnk_file permissive=1 > Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400 > audit(1680368952.624:8): avc: denied { relabelfrom } for pid=488 > comm="systemd-tmpfile" name="root" dev="vda1" ino=1044482 > scontext=system_u:system_r:systemd_tmpfiles_t:s0 > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir > permissive=1 > Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400 > audit(1680368952.628:9): avc: denied { relabelto } for pid=488 > comm="systemd-tmpfile" name="root" dev="vda1" ino=1044482 > scontext=system_u:system_r:systemd_tmpfiles_t:s0 > tcontext=unconfined_u:object_r:user_home_dir_t:s0 tclass=dir > permissive=1 > Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400 > audit(1680368952.628:10): avc: denied { relabelfrom } for pid=488 > comm="systemd-tmpfile" name=".ssh" dev="vda1" ino=1044487 > scontext=system_u:system_r:systemd_tmpfiles_t:s0 > tcontext=unconfined_u:object_r:ssh_home_t:s0 tclass=dir permissive=1 > > Caused by /usr/lib/tmpfiles.d/provision.conf > > +allow systemd_tmpfiles_t etc_t:lnk_file { relabelfrom relabelto }; > +allow systemd_tmpfiles_t ssh_home_t:dir { relabelfrom relabelto }; > +allow systemd_tmpfiles_t user_home_dir_t:dir { relabelfrom relabelto }; > # label files with user unconfined_u running as user system_u > +domain_obj_id_change_exemption(systemd_tmpfiles_t) I'll look into that one later. > type=PROCTITLE msg=audit(01/04/23 19:42:13.993:72) : proctitle=userdel > vnstat type=PATH msg=audit(01/04/23 19:42:13.993:72) : item=0 > name=/proc/484/root inode=2 dev=fe:01 mode=dir,755 ouid=root ogid=root > rdev=00:00 obj=system_u:object_r:root_t:s0 nametype=NORMAL cap_fp=none > cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 > type=CWD msg=audit(01/04/23 19:42:13.993:72) : cwd=/ > type=SYSCALL msg=audit(01/04/23 19:42:13.993:72) : arch=x86_64 > syscall=newfstatat success=yes exit=0 a0=AT_FDCWD a1=0x7ffcaa762780 > a2=0x7ffcaa7626d0 a3=0x0 items=1 ppid=659 pid=660 auid=root uid=root > gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=roo > t tty=pts4 ses=1 comm=userdel exe=/usr/sbin/userdel > subj=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(01/04/23 19:42:13.993:72) : avc: denied { > sys_ptrace } for pid=660 comm=userdel capability=sys_ptrace > scontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 > tcontext=unconfined_u:unconfined_r:useradd_t:s0-s0:c0.c1023 > tclass=capability permis > sive=1 > > +allow useradd_t self:capability sys_ptrace; How can you reproduce that? I had been considering it but don't know what it's for. > type=PROCTITLE msg=audit(01/04/23 19:43:51.042:119) : > proctitle=/sbin/groupadd -g 110 vnstat > type=SYSCALL msg=audit(01/04/23 19:43:51.042:119) : arch=x86_64 > syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffeed32c5c0 a2=0x0 > a3=0x0 items=0 ppid=856 pid=857 auid=root uid=root gid=root euid=root > suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts4 ses=1 c > omm=groupadd exe=/usr/sbin/groupadd > subj=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(01/04/23 19:43:51.042:119) : avc: denied { > getattr } for pid=857 comm=groupadd name=/ dev="proc" ino=1 > scontext=unconfined_u:unconfined_r:groupadd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1 > > +kernel_getattr_proc(groupadd_t) Added. > > type=PROCTITLE msg=audit(01/04/23 19:47:34.834:196) : proctitle=plocate / > type=SYSCALL msg=audit(01/04/23 19:47:34.834:196) : arch=x86_64 > syscall=io_uring_setup success=yes exit=4 a0=0x100 a1=0x7ffc94fad5c0 > a2=0x7ffc94fad5c0 a3=0x7f17e70aa570 items=0 ppid=1224 pid=1225 > auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root > sgid > =root fsgid=root tty=pts4 ses=1 comm=plocate exe=/usr/bin/plocate > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(01/04/23 19:47:34.834:196) : avc: denied { create > } for pid=1225 comm=plocate anonclass=[io_uring] > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:unconfined_t:s0 tclass=anon_inode > permissive=1 > ---- > type=PROCTITLE msg=audit(01/04/23 19:47:34.834:197) : proctitle=plocate / > type=MMAP msg=audit(01/04/23 19:47:34.834:197) : fd=4 > flags=MAP_SHARED|MAP_POPULATE > type=SYSCALL msg=audit(01/04/23 19:47:34.834:197) : arch=x86_64 > syscall=mmap success=yes exit=139740637237248 a0=0x0 a1=0x2540 > a2=PROT_READ|PROT_WRITE a3=MAP_SHARED|MAP_POPULATE items=0 ppid=1224 > pid=1225 auid=root uid=root gid=root euid=root suid=root fsuid=root > egid= > root sgid=root fsgid=root tty=pts4 ses=1 comm=plocate > exe=/usr/bin/plocate > subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) > type=AVC msg=audit(01/04/23 19:47:34.834:197) : avc: denied { read > write } for pid=1225 comm=plocate path=anon_inode:[io_uring] > dev="anon_inodefs" ino=20748 > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:unconfined_t:s0 > tclass=anon_inode permissive=1 > type=AVC msg=audit(01/04/23 19:47:34.834:197) : avc: denied { map } > for pid=1225 comm=plocate path=anon_inode:[io_uring] > dev="anon_inodefs" ino=20748 > scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 > tcontext=unconfined_u:object_r:unconfined_t:s0 tclass > =anon_inode permissive=1 > > Usage of io_uring, e.g. in plocate > > +allow unconfined_t self:anon_inode { create map read write }; added > > > Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400 > audit(1680368952.052:3): avc: denied { create } for pid=375 > comm="mkdir" name="console-setup" scontext=system_u:system_r:udev_t:s0 > tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1 > Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400 > audit(1680368952.052:4): avc: denied { create } for pid=334 > comm="cached_setup_fo" name="font-loaded" > scontext=system_u:system_r:udev_t:s0 > tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 > Apr 01 19:09:12 debianrefpolicy kernel: audit: type=1400 > audit(1680368952.052:5): avc: denied { write open } for pid=334 > comm="cached_setup_fo" path="/run/console-setup/font-loaded" > dev="tmpfs" ino=721 scontext=system_u:system_r:udev_t:s0 > tcontext=system_u:object_r:var_run_t:s0 tclass=file permissive=1 > > Since there are some Debian patches to the refpolicy regarding > /run/console-setup, I am not sure what your preferred resolution would > be. I'll look into that later. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ SELinux-devel mailing list SELinux-devel@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/selinux-devel