[Freeipa-devel] [freeipa PR#5996][opened] [Backport][ipa-4-9] selinux policy: allow custodia to access /proc/cpuinfo

Tue, 31 Aug 2021 05:59:59 -0700 

   URL: https://github.com/freeipa/freeipa/pull/5996
Author: flo-renaud
 Title: #5996: [Backport][ipa-4-9] selinux policy: allow custodia to access 
/proc/cpuinfo
Action: opened

PR body:
"""
This PR was opened automatically because PR #5994 was pushed to master and 
backport to ipa-4-9 is required.
"""

To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/5996/head:pr5996
git checkout pr5996

From 02d293ef5ea472750ce711b079b70334d0872114 Mon Sep 17 00:00:00 2001
From: Florence Blanc-Renaud <f...@redhat.com>
Date: Mon, 30 Aug 2021 18:40:24 +0200
Subject: [PATCH] selinux policy: allow custodia to access /proc/cpuinfo

On aarch64, custodia creates AVC when accessing /proc/cpuinfo.

According to gcrypt manual
(https://gnupg.org/documentation/manuals/gcrypt/Configuration.html),
/proc/cpuinfo is used on ARM architecture to read the hardware
capabilities of the CPU. This explains why the issue happens only
on aarch64.

audit2allow suggests to add the following:
allow ipa_custodia_t proc_t:file { getattr open read };

but this policy would be too broad. Instead, the patch is using
the interface kernel_read_system_state.

Fixes: https://pagure.io/freeipa/issue/8972
Signed-off-by: Florence Blanc-Renaud <f...@redhat.com>
---
 selinux/ipa.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/selinux/ipa.te b/selinux/ipa.te
index 68e10941951..7492fca04d4 100644
--- a/selinux/ipa.te
+++ b/selinux/ipa.te
@@ -364,6 +364,7 @@ files_tmp_filetrans(ipa_custodia_t, ipa_custodia_tmp_t, { dir file })
 
 kernel_dgram_send(ipa_custodia_t)
 kernel_read_network_state(ipa_custodia_t)
+kernel_read_system_state(ipa_custodia_t)
 
 auth_read_passwd(ipa_custodia_t)
 

_______________________________________________
FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org
To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-devel@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to