[node-patches] Change in ovirt-node[master]: ovirt.te: Add snmp selinux for unlabeled_t:file
dougsland at redhat.com
dougsland at redhat.com
Wed May 11 16:03:35 UTC 2016
Douglas Schilling Landgraf has uploaded a new change for review.
Change subject: ovirt.te: Add snmp selinux for unlabeled_t:file
......................................................................
ovirt.te: Add snmp selinux for unlabeled_t:file
Should cover the following denied entries:
type=AVC msg=audit(1462981993.743:376): avc: denied { getattr } for pid=18064 comm="snmpd" path="/var/lib/net-snmp/snmpd.conf" dev="dm-8" ino=126 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1462981993.743:376): arch=c000003e syscall=4 success=yes exit=0 a0=7ffddad8e600 a1=7ffddad8e570 a2=7ffddad8e570 a3=5 items=0 ppid=1 pid=18064 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snmpd" exe="/usr/sbin/snmpd" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1462981993.743:377): avc: denied { rename } for pid=18064 comm="snmpd" name="snmpd.conf" dev="dm-8" ino=126 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1462981993.743:377): arch=c000003e syscall=82 success=yes exit=0 a0=7ffddad8e600 a1=7ffddad8e800 a2=ffffffffffffff80 a3=0 items=0 ppid=1 pid=18064 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snmpd" exe="/usr/sbin/snmpd" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=AVC msg=audit(1462981993.744:378): avc: denied { unlink } for pid=18064 comm="snmpd" name="snmpd.0.conf" dev="dm-8" ino=126 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
type=SYSCALL msg=audit(1462981993.744:378): arch=c000003e syscall=87 success=yes exit=0 a0=7ffddad8f010 a1=7ffddad8ef80 a2=7ffddad8ef80 a3=0 items=0 ppid=1 pid=18064 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="snmpd" exe="/usr/sbin/snmpd" subj=system_u:system_r:snmpd_t:s0 key=(null)
type=SERVICE_STOP msg=audit(1462981993.750:379): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=snmpd comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
type=AVC msg=audit(1462981993.997:380): avc: denied { read } for pid=18116 comm="snmpd" name="0" dev="dm-8" ino=129 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
type=AVC msg=audit(1462981993.997:380): avc: denied { open } for pid=18116 comm="snmpd" path="/var/lib/net-snmp/mib_indexes/0" dev="dm-8" ino=129 scontext=system_u:system_r:snmpd_t:s0 tcontext=unconfined_u:object_r:unlabeled_t:s0 tclass=file
Change-Id: I91689638f1bf4b345b8b4ca64807b908375b58eb
Bug-Url: https://bugzilla.redhat.com/show_bug.cgi?id=1283519
Signed-off-by: Douglas Schilling Landgraf <dougsland at redhat.com>
---
M semodule/ovirt.te.in
1 file changed, 1 insertion(+), 0 deletions(-)
git pull ssh://gerrit.ovirt.org:29418/ovirt-node refs/changes/59/57359/1
diff --git a/semodule/ovirt.te.in b/semodule/ovirt.te.in
index beaa702..971f252 100644
--- a/semodule/ovirt.te.in
+++ b/semodule/ovirt.te.in
@@ -248,6 +248,7 @@
allow snmpd_t device_t:sock_file write;
allow snmpd_t ovirt_t:unix_dgram_socket sendto;
allow snmpd_t tmpfs_t:file { read getattr open };
+allow snmpd_t unlabeled_t:file { rename read getattr unlink open };
#============= sshd_t ==============
--
To view, visit https://gerrit.ovirt.org/57359
To unsubscribe, visit https://gerrit.ovirt.org/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I91689638f1bf4b345b8b4ca64807b908375b58eb
Gerrit-PatchSet: 1
Gerrit-Project: ovirt-node
Gerrit-Branch: master
Gerrit-Owner: Douglas Schilling Landgraf <dougsland at redhat.com>
More information about the node-patches
mailing list