Conversation
Boot shows 4 denials of xec_t using init_t fds. The vglass initscript uses xec to query gpu configuration over dbus. xec doesn't need to access the FDs, so quiet them with a dontaudit. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
The .fc file has the incorrect /etc/init.d/udev path, when it needs to be /etc/rc.d/init.d/udev to label the file properly. It's been ending up as initrc_exec_t and things (mostly) work. Remove the dead code. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
We see the following denial:
avc: denied { read write } for pid=74 comm="udevadm" path="/dev/console" dev="devtmpfs" ino=9 scontext=system_u:system_r:udevadm_t:s0 tcontext=system_u:object_r:device_t:s0 tclass=chr_file permissive=0
udevadm is run during boot. device_t shows that /dev/console has not
been labeled yet.
The 20200229 refpolicy uprev introduced udevadm_t - previously it ran as
udev_t. Add a dontaudit to keep the logs clean.
Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Backport the upstream udev watch patch and remove our customization. It labels the files under lib_t, so it doesn't need a watch on lib_t:dir. The patch comes from 2.20220520. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
WARNING: preferred version 2.20200229 of refpolicy-mcs not available (for item refpolicy-mcs) WARNING: versions of refpolicy-mcs available: 2.20200229+gitAUTOINC+613708cad6 We only have one now, so just remove the preferred version line. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
Having a non-zero value is deprecated and it was removed in Linux 6.4. Testing without it, everything seems to work. Drop it. Signed-off-by: Jason Andryuk <jandryuk@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
A few refpolicy fixes after the recent refpolicy uprev.
6ca7754 is a cherry-pick of ba7da75 from #1445
dd43713 is no longer applicable after the