commit: 103deadfb6e257799ebf9026cae8a409e0c5a353
Author: Christian Göttsche <cgzones <AT> googlemail <DOT> com>
AuthorDate: Thu Feb 22 17:00:41 2024 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Mar 1 17:05:46 2024 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=103deadf
selinuxutil: ignore getattr proc in newrole
type=PROCTITLE msg=audit(02/21/24 22:42:44.555:112) : proctitle=newrole -r
sysadm_r
type=SYSCALL msg=audit(02/21/24 22:42:44.555:112) : arch=x86_64
syscall=fstatfs success=yes exit=0 a0=0x3 a1=0x7ffc75fe1990 a2=0x0 a3=0x0
items=0 ppid=946 pid=1001 auid=root uid=root gid=root euid=root suid=root
fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=1 comm=newrole
exe=/usr/bin/newrole subj=root:staff_r:newrole_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(02/21/24 22:42:44.555:112) : avc: denied { getattr }
for pid=1001 comm=newrole name=/ dev=proc ino=1
scontext=root:staff_r:newrole_t:s0-s0:c0.c1023
tcontext=system_u:object_r:proc_t:s0 tclass=filesystem permissive=1
Signed-off-by: Christian Göttsche <cgzones <AT> googlemail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/system/selinuxutil.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/selinuxutil.te
b/policy/modules/system/selinuxutil.te
index b1213aa76..4d8624c6b 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -251,6 +251,7 @@ read_lnk_files_pattern(newrole_t, default_context_t,
default_context_t)
kernel_read_system_state(newrole_t)
kernel_read_kernel_sysctls(newrole_t)
+kernel_dontaudit_getattr_proc(newrole_t)
corecmd_list_bin(newrole_t)
