[Bug 1228831] SELinux sshd policy missing VSOCK support
https://bugzilla.suse.com/show_bug.cgi?id=1228831 https://bugzilla.suse.com/show_bug.cgi?id=1228831#c15 --- Comment #15 from Johannes Segitz <jsegitz@suse.com> --- I'll have a submit for the policy ready that should fix it. But since the behavior on our system are slightly different I'd like you to test it also. It introduces a new interface (place this into the .if file audit2allow produced): ####################################### ## <summary> ## Allow caller to read/write vsock socket for sshd ## </summary> ## <param name="domain"> ## <summary> ## Domain allowed access. ## </summary> ## </param> # interface(`ssh_rw_vsock_socket',` gen_require(` type sshd_t; ') allow $1 sshd_t:vsock_socket rw_socket_perms; ') It's then called in the .te file: require { type sshd_t; type sshd_net_t; } #============= sshd_t ============== ssh_rw_vsock_socket(sshd_t) ssh_rw_vsock_socket(sshd_net_t) Compile it with make -f /usr/share/selinux/devel/Makefile then load with semodule -i I'll sent a PR for the change. I'll be away for three weeks now, but a colleague will merge it once you confirms that this fixes the problem for you -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com