selinux-policy/backport-pidof-executed-by-abrt-can-readlink-proc-exe.patch

From 52645b77fe4aeb47f538538097c99aa47adbe2d7 Mon Sep 17 00:00:00 2001
From: Milos Malik <mmalik@redhat.com>
Date: Wed, 7 Sep 2022 10:53:07 +0200
Subject: [PATCH] pidof executed by abrt can readlink /proc/*/exe

At least one of the ABRT addons calls `pidof abrtd` which leads to
{ sys_ptrace } SELinux denials in cap_userns class.

In order to support the full functionality of ABRT and its addons,
I believe that SELinux policy should allow this access.

Resolves: BZ#2071586
---
 policy/modules/contrib/abrt.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/contrib/abrt.te b/policy/modules/contrib/abrt.te
index 02a12dfab1..16db11a3c3 100644
--- a/policy/modules/contrib/abrt.te
+++ b/policy/modules/contrib/abrt.te
@@ -115,6 +115,7 @@ ifdef(`enable_mcs',`
 #
 
 allow abrt_t self:capability { chown dac_read_search dac_override fowner fsetid ipc_lock kill setgid setuid sys_nice sys_ptrace };
+allow abrt_t self:cap_userns sys_ptrace;
 dontaudit abrt_t self:capability { net_admin sys_rawio sys_ptrace };
 allow abrt_t self:process { setpgid sigkill signal signull setsched getsched };