From e485345b572121f09778da9c146cf1bcd22ae0cf Mon Sep 17 00:00:00 2001 From: Zdenek Pytela Date: Mon, 12 Sep 2022 17:26:03 +0200 Subject: [PATCH] Allow tor get filesystem attributes In particular, attributes of cgroup filesystems and generic filesystems with extended attributes. Addresses the following AVC denials: type=AVC msg=audit(1633585335.809:601): avc: denied { getattr } for pid=1881 comm="tor" name="/" dev="cgroup2" ino=1 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=1 type=AVC msg=audit(1633585335.809:602): avc: denied { getattr } for pid=1881 comm="tor" name="/" dev="dm-0" ino=256 scontext=system_u:system_r:tor_t:s0 tcontext=system_u:object_r:fs_t:s0 tclass=filesystem permissive=1 Resolves: rhbz#2012006 --- policy/modules/contrib/tor.te | 3 +++ 1 file changed, 3 insertions(+) diff --git a/policy/modules/contrib/tor.te b/policy/modules/contrib/tor.te index 0dc670b885..ae36c255ca 100644 --- a/policy/modules/contrib/tor.te +++ b/policy/modules/contrib/tor.te @@ -124,6 +124,9 @@ domain_use_interactive_fds(tor_t) files_read_etc_runtime_files(tor_t) +fs_getattr_cgroup(tor_t) +fs_getattr_xattr_fs(tor_t) + auth_use_nsswitch(tor_t) logging_send_syslog_msg(tor_t)