Summary: | groupadd_t needs read access to default contexts | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Sven Vermeulen (RETIRED) <swift> |
Component: | Hardened | Assignee: | Sven Vermeulen (RETIRED) <swift> |
Status: | VERIFIED FIXED | ||
Severity: | normal | CC: | selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | sec-policy r9 | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 406819 | ||
Bug Blocks: |
Description
Sven Vermeulen (RETIRED)
2012-04-22 12:13:26 UTC
With seutil_read_default_contexts, the following denial occurs: """ Apr 22 14:17:11 testsys kernel: [ 4535.791950] type=1400 audit(1335097031.460:178): avc: denied { search } for pid=10737 comm="groupadd" name="files" dev="vda1" ino=1122 scontext=root:sysadm_r:groupadd_t tcontext=system_u:object_r:file_context_t tclass=dir """ Adding seutil_read_file_contexts() as well makes things work again. seutil_read_default_contexts can be eliminated, seutil_read_file_contexts contains the proper rights Will be in -r9 r9 now in hardened-dev overlay r9 is now ~arch in main tree Stabilized |