Bug 1544923
Summary: | SElinux errors after fix of Bug #1486803 by tuned-2.8.0-5.el7_4.2.noarch | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | R P Herrold <herrold> |
Component: | tuned | Assignee: | Jaroslav Škarvada <jskarvad> |
Status: | CLOSED DUPLICATE | QA Contact: | qe-baseos-daemons |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.4 | CC: | ajb, atragler, baumanmo, dwd, egarver, fs-qe, herrold, igkioka, infiniband-qe, iptables-maint-list, jarod, jeder, jskarvad, kajtzu, mmalik, myllynen, olysonek, pasik, psutter, rdma-dev-team, redhat-bugzilla, riehecky, steved, thozza, tis, todoleza, toracat |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | 1544922 | Environment: | |
Last Closed: | 2018-02-19 00:04:39 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1438937, 1486803, 1544921, 1544922 | ||
Bug Blocks: | 1477413, 1481207, 1486871, 1491963, 1504647 |
Description
R P Herrold
2018-02-13 18:48:46 UTC
The needed additional permissions for SELinux turn out to have had some hidden additional parts needed, and I believe a better rule is: [root@router ~]# cat my-grep.te module my-grep 1.0; require { type iptables_t; type modules_conf_t; class file { getattr ioctl open read }; } #============= iptables_t ============== #!!!! This avc is allowed in the current policy allow iptables_t modules_conf_t:file { getattr ioctl open read }; [root@router ~]# This is a SELinux policy bug which is already addressed in: * https://bugzilla.redhat.com/show_bug.cgi?id=1438937 *** This bug has been marked as a duplicate of bug 1438937 *** |