|
 |
7e1b55 |
From 07e2bf732f54f936cccc4e0c7b468d77f97e911a Mon Sep 17 00:00:00 2001
|
|
|
7e1b55 |
From: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
7e1b55 |
Date: Mon, 30 Aug 2021 18:40:24 +0200
|
|
|
7e1b55 |
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo
|
|
|
7e1b55 |
|
|
|
7e1b55 |
On aarch64, custodia creates AVC when accessing /proc/cpuinfo.
|
|
|
7e1b55 |
|
|
|
7e1b55 |
According to gcrypt manual
|
|
|
7e1b55 |
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
|
|
|
7e1b55 |
/proc/cpuinfo is used on ARM architecture to read the hardware
|
|
|
7e1b55 |
capabilities of the CPU. This explains why the issue happens only
|
|
|
7e1b55 |
on aarch64.
|
|
|
7e1b55 |
|
|
|
7e1b55 |
audit2allow suggests to add the following:
|
|
|
7e1b55 |
allow ipa_custodia_t proc_t:file { getattr open read };
|
|
|
7e1b55 |
|
|
|
7e1b55 |
but this policy would be too broad. Instead, the patch is using
|
|
|
7e1b55 |
the interface kernel_read_system_state.
|
|
|
7e1b55 |
|
|
|
7e1b55 |
Fixes: https://pagure.io/freeipa/issue/8972
|
|
|
7e1b55 |
Signed-off-by: Florence Blanc-Renaud <flo@redhat.com>
|
|
|
7e1b55 |
Reviewed-By: Christian Heimes <cheimes@redhat.com>
|
|
|
7e1b55 |
---
|
|
|
7e1b55 |
selinux/ipa.te | 1 +
|
|
|
7e1b55 |
1 file changed, 1 insertion(+)
|
|
|
7e1b55 |
|
|
|
7e1b55 |
diff --git a/selinux/ipa.te b/selinux/ipa.te
|
|
|
7e1b55 |
index 68e10941951ac391fda7854d1403558c069dad46..7492fca04d4f0d031ecd83871078247d73cc87e0 100644
|
|
|
7e1b55 |
--- a/selinux/ipa.te
|
|
|
7e1b55 |
+++ b/selinux/ipa.te
|
|
|
7e1b55 |
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
|
|
|
7e1b55 |
|
|
|
7e1b55 |
kernel_dgram_send(ipa_custodia_t)
|
|
|
7e1b55 |
kernel_read_network_state(ipa_custodia_t)
|
|
|
7e1b55 |
+kernel_read_system_state(ipa_custodia_t)
|
|
|
7e1b55 |
|
|
|
7e1b55 |
auth_read_passwd(ipa_custodia_t)
|
|
|
7e1b55 |
|
|
|
7e1b55 |
--
|
|
|
7e1b55 |
2.31.1
|
|
|
7e1b55 |
|