[DSE-Dev] Bug#1018833: refpolicy: misc missing permissions

[Christian Göttsche]

Source: refpolicy
Version:  2:2.20220520-2
Severity: important

Miscellaneous missing permissions while running a sid vm:


#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t boolean_type:file getattr;
allow systemd_tmpfiles_t configfs_t:dir list_dir_perms;
allow systemd_tmpfiles_t security_t:lnk_file getattr;
allow systemd_tmpfiles_t tracefs_t:dir list_dir_perms;
allow systemd_tmpfiles_t tracefs_t:file getattr;


#============= quota_t ==============
allow quota_t locale_t:file map;


#============= udev_t ==============
# /run/console-setup
allow udev_t initrc_runtime_t:dir add_entry_dir_perms;
allow udev_t initrc_runtime_t:file create_file_perms;

allow udev_t cgroup_t:dir { add_name create write };
allow udev_t cgroup_t:file write;


#============= kmod_t ==============
# /usr/lib/ssl/openssl.cnf
miscfiles_read_generic_certs(kmod_t)


#============= unconfined_t ==============
allow unconfined_t self:file { relabelfrom unlink };


#============= systemd_sysusers_t ==============
#  type=PROCTITLE msg=audit(31/08/22 14:33:20.321:106) :
proctitle=systemd-sysusers systemd-journal.conf systemd-network.conf
#  type=PATH msg=audit(31/08/22 14:33:20.321:106) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=130833 dev=fe:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
#  type=PATH msg=audit(31/08/22 14:33:20.321:106) : item=0
name=/usr/bin/systemd-sysusers inode=132750 dev=fe:01 mode=file,755
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:systemd_sysusers_exec_t:s0 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
#  type=CWD msg=audit(31/08/22 14:33:20.321:106) : cwd=/
#  type=EXECVE msg=audit(31/08/22 14:33:20.321:106) : argc=3
a0=systemd-sysusers a1=systemd-journal.conf a2=systemd-network.conf
#  type=SYSCALL msg=audit(31/08/22 14:33:20.321:106) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x56b182488a58 a1=0x56b180add980
a2=0x56b182488948 a3=0x8 items=2 ppid=3299 pid=3302 auid=root uid=root
gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root
tty=(none) ses=1 comm=systemd-sysuser exe=/usr/bin/systemd-sysusers
subj=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023
key=(null)
#  type=AVC msg=audit(31/08/22 14:33:20.321:106) : avc:  denied  { use
} for  pid=3302 comm=systemd-sysuser path=/dev/pts/4 dev="devpts"
ino=7 scontext=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=fd permissive=0
#  type=AVC msg=audit(31/08/22 14:33:20.321:106) : avc:  denied  { use
} for  pid=3302 comm=systemd-sysuser path=/dev/pts/4 dev="devpts"
ino=7 scontext=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=fd permissive=0
#  type=AVC msg=audit(31/08/22 14:33:20.321:106) : avc:  denied  { use
} for  pid=3302 comm=systemd-sysuser path=/dev/pts/4 dev="devpts"
ino=7 scontext=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=fd permissive=0
#  type=AVC msg=audit(31/08/22 14:33:20.321:106) : avc:  denied  {
read write } for  pid=3302 comm=systemd-sysuser path=/dev/pts/4
dev="devpts" ino=7
scontext=unconfined_u:unconfined_r:systemd_sysusers_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_devpts_t:s0 tclass=chr_file
permissive=0

allow systemd_sysusers_t unconfined_t:fd use;
allow systemd_sysusers_t user_devpts_t:chr_file { read write };