From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 83D691582EF for ; Sat, 08 Mar 2025 23:55:47 +0000 (UTC) Received: from lists.gentoo.org (bobolink.gentoo.org [140.211.166.189]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) (Authenticated sender: relay-lists.gentoo.org@gentoo.org) by smtp.gentoo.org (Postfix) with ESMTPSA id 6FC0134305F for ; Sat, 08 Mar 2025 23:55:47 +0000 (UTC) Received: from bobolink.gentoo.org (localhost [127.0.0.1]) by bobolink.gentoo.org (Postfix) with ESMTP id 08E54110479; Sat, 08 Mar 2025 23:55:09 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by bobolink.gentoo.org (Postfix) with ESMTPS id EC2C5110479 for ; Sat, 08 Mar 2025 23:55:08 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id A26BD340BE2 for ; Sat, 08 Mar 2025 23:55:08 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 8D2EC280C for ; Sat, 08 Mar 2025 23:55:05 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1741476403.d8a8aab060701ad9246b6000dd12fcf6db00a34d.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/services/firewalld.te X-VCS-Directories: policy/modules/services/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: d8a8aab060701ad9246b6000dd12fcf6db00a34d X-VCS-Branch: master Date: Sat, 08 Mar 2025 23:55:05 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 9a8dd9c6-6318-4128-b849-d3ba989632fe X-Archives-Hash: 4b72678b3ca41c5df49675d9940ed373 commit: d8a8aab060701ad9246b6000dd12fcf6db00a34d Author: Clayton Casciato 21sw us> AuthorDate: Tue Mar 4 15:17:47 2025 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sat Mar 8 23:26:43 2025 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=d8a8aab0 firewalld: fix lib_t Python cache denial auditing type=PATH item=3 name=(null) inode=15343 dev=fe:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH item=2 name=(null) inode=3055 dev=fe:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH item=1 name=(null) nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH item=0 name=(null) inode=3055 dev=fe:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD cwd=/ type=SYSCALL arch=armeb syscall=openat per=PER_LINUX success=yes exit=3 a0=AT_FDCWD a1=0xb6551ce8 a2=O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW|O_CLOEXEC a3=0x1a4 items=4 ppid=1 pid=225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.12 subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC avc: denied { write } for pid=225 comm=firewalld path=/usr/lib/python3.12/__pycache__/traceback.cpython-312.pyc.3059098912 dev="vda" ino=15343 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=AVC avc: denied { create } for pid=225 comm=firewalld name=traceback.cpython-312.pyc.3059098912 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=AVC avc: denied { add_name } for pid=225 comm=firewalld name=traceback.cpython-312.pyc.3059098912 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir type=AVC avc: denied { write } for pid=225 comm=firewalld name=__pycache__ dev="vda" ino=3055 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir ---- type=PROCTITLE proctitle=/usr/bin/python3 /usr/sbin/firewalld --nofork --nopid type=PATH item=1 name=(null) inode=15343 dev=fe:00 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH item=0 name=(null) inode=3055 dev=fe:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD cwd=/ type=SYSCALL arch=armeb syscall=rename per=PER_LINUX success=yes exit=0 a0=0xb6551ce8 a1=0xb6562f80 a2=0x1 a3=0x0 items=2 ppid=1 pid=225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.12 subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC avc: denied { rename } for pid=225 comm=firewalld name=traceback.cpython-312.pyc.3059098912 dev="vda" ino=15343 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=file type=AVC avc: denied { remove_name } for pid=225 comm=firewalld name=traceback.cpython-312.pyc.3059098912 dev="vda" ino=15343 scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir ---- type=PROCTITLE proctitle=/usr/bin/python3 /usr/sbin/firewalld --nofork --nopid type=PATH item=1 name=(null) inode=15344 dev=fe:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=PATH item=0 name=(null) inode=7795 dev=fe:00 mode=dir,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:lib_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD cwd=/ type=SYSCALL arch=armeb syscall=mkdir per=PER_LINUX success=yes exit=0 a0=0xb64a46f0 a1=0777 a2=0x1 a3=0x0 items=2 ppid=1 pid=225 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=firewalld exe=/usr/bin/python3.12 subj=system_u:system_r:firewalld_t:s0 key=(null) type=AVC avc: denied { create } for pid=225 comm=firewalld name=__pycache__ scontext=system_u:system_r:firewalld_t:s0 tcontext=system_u:object_r:lib_t:s0 tclass=dir -- Fedora dontaudit firewalld_t lib_t:dir write; https://github.com/fedora-selinux/selinux-policy/commit/38c318fb0da5ffe99b6d1c599d8f0b9968efa640 Other lib_t seems to be handled with: dontaudit firewalld_t filesystem_type:dir audit_access; dontaudit firewalld_t filesystem_type:file audit_access; https://github.com/fedora-selinux/selinux-policy/blob/1e6221cdad83095faff06774c600a308544d64b8/policy/modules/contrib/firewalld.te#L94 Signed-off-by: Clayton Casciato 21sw.us> Signed-off-by: Jason Zaman gentoo.org> policy/modules/services/firewalld.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/firewalld.te b/policy/modules/services/firewalld.te index e686270b1..f592cf4f6 100644 --- a/policy/modules/services/firewalld.te +++ b/policy/modules/services/firewalld.te @@ -86,6 +86,8 @@ fs_getattr_xattr_fs(firewalld_t) logging_send_syslog_msg(firewalld_t) +libs_dontaudit_manage_lib_dirs(firewalld_t) +libs_dontaudit_manage_lib_files(firewalld_t) libs_watch_lib_dirs(firewalld_t) miscfiles_read_generic_certs(firewalld_t)