Bug 1544921
Summary: | SElinux errors after fix of Bug #1486803 by nfs-utils-1.3.0-0.48.el7_4.1.x86_64 | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | R P Herrold <herrold> | |
Component: | selinux-policy | Assignee: | Lukas Vrabec <lvrabec> | |
Status: | CLOSED DUPLICATE | QA Contact: | Milos Malik <mmalik> | |
Severity: | high | Docs Contact: | ||
Priority: | high | |||
Version: | 7.4 | CC: | ajb, atragler, baumanmo, dwd, egarver, herrold, igkioka, iptables-maint-list, kajtzu, lvrabec, mgrepl, mmalik, myllynen, pasik, plautrba, psutter, redhat-bugzilla, riehecky, ssekidde, tis, todoleza, toracat, xzhou, yoyang | |
Target Milestone: | rc | Keywords: | Triaged, ZStream | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | If docs needed, set a value | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | 1486803 | |||
: | 1544922 (view as bug list) | Environment: | ||
Last Closed: | 2018-02-14 12:40:55 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | 1486803 | |||
Bug Blocks: | 1477413, 1481207, 1486871, 1491963, 1504647, 1544922, 1544923 |
Description
R P Herrold
2018-02-13 18:40:25 UTC
Proposed rule is: [root@router ~]# cat my-grep.te module my-grep 1.0; require { type iptables_t; type modules_conf_t; class file read; } #============= iptables_t ============== allow iptables_t modules_conf_t:file read; [root@router ~]# This single rule covers the nfs-utils, rdma-core, and tuned cases The needed additional permissions for SELinux turn out to have had some hidden additional parts needed, and I believe a better rule is: [root@router ~]# cat my-grep.te module my-grep 1.0; require { type iptables_t; type modules_conf_t; class file { getattr ioctl open read }; } #============= iptables_t ============== #!!!! This avc is allowed in the current policy allow iptables_t modules_conf_t:file { getattr ioctl open read }; [root@router ~]# This is a SELinux policy bug which is already addressed in: * https://bugzilla.redhat.com/show_bug.cgi?id=1438937 *** This bug has been marked as a duplicate of bug 1438937 *** |