From 52645b77fe4aeb47f538538097c99aa47adbe2d7 Mon Sep 17 00:00:00 2001 From: Milos Malik Date: Wed, 7 Sep 2022 10:53:07 +0200 Subject: [PATCH] pidof executed by abrt can readlink /proc/*/exe At least one of the ABRT addons calls `pidof abrtd` which leads to { sys_ptrace } SELinux denials in cap_userns class. In order to support the full functionality of ABRT and its addons, I believe that SELinux policy should allow this access. Resolves: BZ#2071586 --- policy/modules/contrib/abrt.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te index 02a12dfab1..16db11a3c3 100644 --- a/policy/modules/contrib/abrt.te +++ b/policy/modules/contrib/abrt.te @@ -115,6 +115,7 @@ ifdef(`enable_mcs',` # allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace }; +allow abrt_t self:cap_userns sys_ptrace; dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace }; allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };