commit 22ee6c04115e8a26f319be3549cd50ad81b5024a Author: Nathan Scott Date: Fri Jan 21 13:08:05 2022 +1100 selinux: additional debugfs policy requirement for pmdakvm Related to Red Hat BZ #2006430 diff --git a/qa/917.out.in b/qa/917.out.in index 9339f7436..0723565d6 100644 --- a/qa/917.out.in +++ b/qa/917.out.in @@ -25,6 +25,7 @@ Checking policies. ! allow [pcp_pmcd_t] [container_var_run_t] : [sock_file] { getattr write }; allow [pcp_pmcd_t] [var_run_t] : [sock_file] { getattr write }; allow [pcp_pmcd_t] [debugfs_t] : [file] { append getattr ioctl open read write }; + allow [pcp_pmcd_t] [debugfs_t] : [dir] { read }; ! allow [pcp_pmcd_t] [pcp_pmie_exec_t] : [file] { execute execute_no_trans open read map }; allow [pcp_pmcd_t] [pcp_var_lib_t] : [fifo_file] { getattr read open unlink }; allow [pcp_pmcd_t] [proc_kcore_t] : [file] { getattr }; diff --git a/src/selinux/pcpupstream.te.in b/src/selinux/pcpupstream.te.in index 4a51b804e..20a6705d5 100644 --- a/src/selinux/pcpupstream.te.in +++ b/src/selinux/pcpupstream.te.in @@ -144,6 +144,7 @@ allow pcp_pmcd_t var_run_t:sock_file { getattr write }; #type=AVC msg=audit(XXX.6): avc: denied { append getattr ioctl open read write } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:debugfs_t:s0 tclass=file permissive=0 allow pcp_pmcd_t debugfs_t:file { append getattr ioctl open read write }; +allow pcp_pmcd_t debugfs_t:dir read; #type=AVC msg=audit(XXX.7): avc: denied { execute execute_no_trans open read } for pid=YYYY comm="pmdaX" name="/" dev="tracefs" ino=1 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0 #type=AVC msg=audit(XXX.68): avc: denied { map } for pid=28290 comm="pmie" path="/usr/bin/pmie" dev="dm-0" ino=5443 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:pcp_pmie_exec_t:s0 tclass=file permissive=0