C9s build 20241010 #2383
Merged
C9s build 20241010 #2383
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Resolves: RHEL-17346
Support for Cornelis Omni-Path Express Gen1 driver. Resolves: RHEL-54996
ptp4l uses the generic netlink socket to get information about virtual PTP clocks for checking whether a PHC not matching the physical NIC PHC is a virtual clock. Binding a generic netlink socket requires the sys_admin capability. Resolves: RHEL-55133
The new stalld version makes use of bpf programs to monitor run queues instead of parsing /sys/kernel/debug/sched/debug. For changing thread scheduling policies, CAP_SYS_RESOURCE is required. Resolves: RHEL-57075
It turned up the previous commit b677f73 ("Update stalld policy for bpf usage") was incomplete and there are additional permissions and capabilities needed. Resolves: RHEL-57075
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(2.7.2024 15:31:59.064:1036) : proctitle=boothd daemon -c /etc/booth/booth.conf
type=AVC msg=audit(07/02/24 15:31:59.064:1036) : avc: denied { read } for pid=13949 comm=boothd name=userdb dev="tmpfs" ino=47 scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:object_r:systemd_userdbd_runtime_t:s0 tclass=dir permissive=0
type=SYSCALL msg=audit(07/02/24 15:31:59.064:1036) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7fe048ca39cf a2=O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC a3=0x0 items=0 ppid=13894 pid=13949 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=boothd exe=/usr/sbin/boothd subj=system_u:system_r:boothd_t:s0 key=(null)
Resolves: RHEL-57104
It actually allows boothd connect to systemd-userdbd over a unix socket
when the socket is still labeled as kernel_t.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(09/09/2024 15:21:42.512:2513) : proctitle=/usr/sbin/boothd daemon -S -c /etc/booth/booth.conf
type=PATH msg=audit(09/09/2024 15:21:42.512:2513) : item=0 name=/run/systemd/userdb/io.systemd.DynamicUser inode=43 dev=00:1b mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(09/09/2024 15:21:42.512:2513) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.DynamicUser }
type=SYSCALL msg=audit(09/09/2024 15:21:42.512:2513) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x4 a1=0x7fff90ca7ec0 a2=0x2d a3=0x55fe78f35430 items=1 ppid=1 pid=61596 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=boothd exe=/usr/sbin/boothd subj=system_u:system_r:boothd_t:s0 key=(null)
type=AVC msg=audit(09/09/2024 15:21:42.512:2513) : avc: denied { connectto } for pid=61596 comm=boothd path=/systemd/userdb/io.systemd.DynamicUser scontext=system_u:system_r:boothd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_stream_socket permissive=0
Resolves: RHEL-57104
Resolves: RHEL-61453
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.