33 lines
1.7 KiB
Diff
33 lines
1.7 KiB
Diff
From 0e9856f3cd11af60445ccf12cd59d35662a7e9a2 Mon Sep 17 00:00:00 2001
|
|
From: Nikola Knazekova <nknazeko@redhat.com>
|
|
Date: Mon, 1 Aug 2022 16:08:08 +0200
|
|
Subject: [PATCH] Allow networkmanager to signal unconfined process
|
|
|
|
During kernel selftests, teamd - running in NetworkManager_t domain, checks if teamd instance is started externally.
|
|
Teamd is a daemon to control a given team network device and when started from command line, it runs in the caller domain - unconfined_t.
|
|
|
|
time->Fri Apr 8 11:01:16 2022
|
|
type=PROCTITLE msg=audit(1649430076.436:6807): proctitle=2F7573722F62696E2F7465616D64002D6B002D74006C6167
|
|
type=SYSCALL msg=audit(1649430076.436:6807): arch=c000003e syscall=62 success=no exit=-13 a0=1ad7f5 a1=f a2=0 a3=7fbf0f5d6ac0 items=0 ppid=13470 pid=1759420 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="teamd" exe="/usr/bin/teamd" subj=system_u:system_r:NetworkManager_t:s0 key=(null)
|
|
type=AVC msg=audit(1649430076.436:6807): avc: denied { signal } for pid=1759420 comm="teamd" scontext=system_u:system_r:NetworkManager_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=process permissive=0
|
|
|
|
Allow NetworkManager_t to send generic signals to the unconfined domain.
|
|
|
|
Fix: bz#2074414
|
|
---
|
|
policy/modules/contrib/networkmanager.te | 1 +
|
|
1 file changed, 1 insertion(+)
|
|
|
|
diff --git a/policy/modules/contrib/networkmanager.te b/policy/modules/contrib/networkmanager.te
|
|
index a946bc060b..c827f40785 100644
|
|
--- a/policy/modules/contrib/networkmanager.te
|
|
+++ b/policy/modules/contrib/networkmanager.te
|
|
@@ -532,6 +532,7 @@ optional_policy(`
|
|
|
|
optional_policy(`
|
|
unconfined_dgram_send(NetworkManager_t)
|
|
+ unconfined_signal(NetworkManager_t)
|
|
')
|
|
|
|
|