Hi, ca-certificates, btrfsmaintenance and probably others have conditions that lead systemd to wanting to watch certain files, eg PathChanged=/etc/sysconfig/btrfsmaintenance That leads to type=AVC msg=audit(1621253570.928:27): avc: denied { watch } for pid=1 comm="systemd" path="/etc/sysconfig/btrfsmaintenance" dev="overlay" ino=15638 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 That case is rather easy as "allow init_t etc_t:file watch;" would be ok to add to the systemd rules. How is this expected to work in general though? We patch the policy for systemd or ship individual policy snippets in packages? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer HRB 36809 (AG Nürnberg)
On Mon, May 17, 2021 at 03:42:02PM +0200, Ludwig Nussel wrote:
Hi,
ca-certificates, btrfsmaintenance and probably others have conditions that lead systemd to wanting to watch certain files, eg
PathChanged=/etc/sysconfig/btrfsmaintenance
That leads to
type=AVC msg=audit(1621253570.928:27): avc: denied { watch } for pid=1 comm="systemd" path="/etc/sysconfig/btrfsmaintenance" dev="overlay" ino=15638 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
That case is rather easy as "allow init_t etc_t:file watch;" would be ok to add to the systemd rules. How is this expected to work in general though? We patch the policy for systemd or ship individual policy snippets in packages?
As this is likely rather common I would add this to the systemd policy itself. It's better to use watch_files_pattern and similiar instead of direct allow rules though. You can either submit or just open a bug for me and I'll handle it Johannes -- GPG Key E7C81FA0 EE16 6BCE AD56 E034 BFB3 3ADD 7BF7 29D5 E7C8 1FA0 Subkey fingerprint: 250F 43F5 F7CE 6F1E 9C59 4F95 BC27 DD9D 2CC4 FD66 SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg Geschäftsführer: Felix Imendörffer (HRB 36809, AG Nürnberg)
Johannes Segitz wrote:
On Mon, May 17, 2021 at 03:42:02PM +0200, Ludwig Nussel wrote:
ca-certificates, btrfsmaintenance and probably others have conditions that lead systemd to wanting to watch certain files, eg
PathChanged=/etc/sysconfig/btrfsmaintenance
That leads to
type=AVC msg=audit(1621253570.928:27): avc: denied { watch } for pid=1 comm="systemd" path="/etc/sysconfig/btrfsmaintenance" dev="overlay" ino=15638 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0
That case is rather easy as "allow init_t etc_t:file watch;" would be ok to add to the systemd rules. How is this expected to work in general though? We patch the policy for systemd or ship individual policy snippets in packages?
As this is likely rather common I would add this to the systemd policy itself. It's better to use watch_files_pattern and similiar instead of direct allow rules though.
You can either submit or just open a bug for me and I'll handle it
I'm working on the package anyway to make it work with cockpit so I'll cook up a patch. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer HRB 36809 (AG Nürnberg)
participants (2)
-
Johannes Segitz
-
Ludwig Nussel