1 |
commit: 047d9ea6c5adefc531ea42c30f3ecf7fe15cc43e |
2 |
Author: Laurent Bigonville <bigon <AT> bigon <DOT> be> |
3 |
AuthorDate: Sun Nov 11 19:04:21 2018 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 18 10:56:47 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=047d9ea6 |
7 |
|
8 |
Allow iscsid_t to create a netlink_iscsi_socket |
9 |
|
10 |
---- |
11 |
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:195) : proctitle=/sbin/iscsid |
12 |
type=SYSCALL msg=audit(11/11/18 14:02:09.006:195) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x6 a1=0x55bfc5837270 a2=0xc a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null) |
13 |
type=AVC msg=audit(11/11/18 14:02:09.006:195) : avc: denied { bind } for pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1 |
14 |
---- |
15 |
type=PROCTITLE msg=audit(11/11/18 14:02:09.006:194) : proctitle=/sbin/iscsid |
16 |
type=SYSCALL msg=audit(11/11/18 14:02:09.006:194) : arch=x86_64 syscall=socket success=yes exit=6 a0=netlink a1=SOCK_RAW a2=egp a3=0x0 items=0 ppid=1188 pid=1190 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=iscsid exe=/usr/sbin/iscsid subj=system_u:system_r:iscsid_t:s0 key=(null) |
17 |
type=AVC msg=audit(11/11/18 14:02:09.006:194) : avc: denied { create } for pid=1190 comm=iscsid scontext=system_u:system_r:iscsid_t:s0 tcontext=system_u:system_r:iscsid_t:s0 tclass=netlink_iscsi_socket permissive=1 |
18 |
|
19 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
20 |
|
21 |
policy/modules/system/iscsi.te | 1 + |
22 |
1 file changed, 1 insertion(+) |
23 |
|
24 |
diff --git a/policy/modules/system/iscsi.te b/policy/modules/system/iscsi.te |
25 |
index 9457ef29..dc5f8f52 100644 |
26 |
--- a/policy/modules/system/iscsi.te |
27 |
+++ b/policy/modules/system/iscsi.te |
28 |
@@ -40,6 +40,7 @@ allow iscsid_t self:fifo_file rw_fifo_file_perms; |
29 |
allow iscsid_t self:unix_stream_socket { accept connectto listen }; |
30 |
allow iscsid_t self:sem create_sem_perms; |
31 |
allow iscsid_t self:shm create_shm_perms; |
32 |
+allow iscsid_t self:netlink_iscsi_socket create_socket_perms; |
33 |
allow iscsid_t self:netlink_socket create_socket_perms; |
34 |
allow iscsid_t self:netlink_kobject_uevent_socket create_socket_perms; |
35 |
allow iscsid_t self:netlink_route_socket nlmsg_write; |