[gentoo-commits] proj/hardened-refpolicy:master commit in: testing/, policy/modules/admin/

Jason Zaman Tue, 02 Sep 2025 15:27:14 -0700

commit:     d426e26bb3cc269ad035e93d605d7c2dcafbff52
Author:     Chris PeBenito <chpebeni <AT> linux <DOT> microsoft <DOT> com>
AuthorDate: Thu Aug 21 15:07:58 2025 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Tue Sep  2 22:04:48 2025 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d426e26b


cloudinit: Add sys_admin to set security.sehash.

Fixes errors like:

Aug 21 14:10:16 linux cloud-init[764]: setxattr failed: /var/lib/cloud: 
Operation not permitted
Aug 21 14:10:16 linux cloud-init[764]: setxattr failed: /var/lib/cloud/data: 
Operation not permitted
Aug 21 14:10:16 linux cloud-init[777]: setxattr failed: /var/lib/cloud: 
Operation not permitted
Aug 21 14:10:16 linux cloud-init[777]: setxattr failed: /var/lib/cloud/data: 
Operation not permitted
Aug 21 14:10:16 linux cloud-init[777]: setxattr failed: /var/lib/cloud/scripts: 
Operation not permitted
Aug 21 14:10:16 linux cloud-init[777]: setxattr failed: /var/lib/cloud/scripts: 
Operation not permitted

Signed-off-by: Chris PeBenito <pebenito <AT> ieee.org>
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/admin/cloudinit.te | 5 +++--
 testing/sechecker.ini             | 1 +
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/policy/modules/admin/cloudinit.te 
b/policy/modules/admin/cloudinit.te
index ddda936cc..bd19f6ea7 100644
--- a/policy/modules/admin/cloudinit.te
+++ b/policy/modules/admin/cloudinit.te
@@ -45,8 +45,9 @@ files_tmp_file(cloud_init_tmp_t)
 # Local policy
 #
 
-allow cloud_init_t self:capability { chown dac_override dac_read_search fowner 
fsetid setgid setuid };
-dontaudit cloud_init_t self:capability { net_admin sys_admin sys_tty_config };
+# sys_admin: Set security.sehash
+allow cloud_init_t self:capability { chown dac_override dac_read_search fowner 
fsetid setgid setuid sys_admin };
+dontaudit cloud_init_t self:capability { net_admin sys_tty_config };
 allow cloud_init_t self:fifo_file rw_fifo_file_perms;
 allow cloud_init_t self:unix_dgram_socket create_socket_perms;
 allow cloud_init_t self:passwd passwd;

diff --git a/testing/sechecker.ini b/testing/sechecker.ini
index 15bf2cfee..01a885450 100644
--- a/testing/sechecker.ini
+++ b/testing/sechecker.ini
@@ -86,6 +86,7 @@ exempt_source = acpi_t
                 cgmanager_t         # Container cgroup manager
                 cgred_t             # Move processes to cgroups based on 
configurable rules
                 chromium_sandbox_t
+                cloud_init_t        # Set security.sehash from restorecon() 
calls.
                 cockpit_session_t
                 container_engine_t
                 consoletype_t

[gentoo-commits] proj/hardened-refpolicy:master commit in: testing/, policy/modules/admin/

Reply via email to