Skip to content

Commit

Permalink
Resolve error when cockpit initiate shutdown
Browse files Browse the repository at this point in the history
node=localhost type=AVC msg=audit(1705937785.855:1258): avc:  denied  { create } for  pid=1741 comm="systemd-logind" name=".#scheduleddAhZqh" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=0
node=localhost type=AVC msg=audit(1705937817.548:1268): avc:  denied  { create } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1268): avc:  denied  { read write open } for  pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1269): avc:  denied  { setattr } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1270): avc:  denied  { getattr } for  pid=1741 comm="systemd-logind" path="/run/systemd/shutdown/.#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.548:1271): avc:  denied  { rename } for  pid=1741 comm="systemd-logind" name=".#scheduledOLXyXT" dev="tmpfs" ino=1803 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:init_runtime_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1272): avc:  denied  { write } for  pid=1741 comm="systemd-logind" name="/" dev="tmpfs" ino=1 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1272): avc:  denied  { add_name } for  pid=1741 comm="systemd-logind" name=".#nologin0EGTLr" scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1705937817.549:1273): avc:  denied  { remove_name } for  pid=1741 comm="systemd-logind" name=".#nologin3EGTLr" dev="tmpfs" ino=1804 scontext=system_u:system_r:systemd_logind_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir permissive=1

Signed-off-by: Dave Sugar <[email protected]>
  • Loading branch information
dsugar100 committed Jan 27, 2024
1 parent 08ea302 commit 882830d
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 1 deletion.
3 changes: 2 additions & 1 deletion policy/modules/services/cockpit.if
Original file line number Diff line number Diff line change
Expand Up @@ -64,9 +64,10 @@ template(`cockpit_role_template',`
cockpit_use_ws_fds($2)
cockpit_rw_ws_stream_sockets($2)

init_watch_runtime_dirs($2)
init_watch_utmp($2)

systemd_watch_logind_runtime_dirs($2)

userdom_dontaudit_execute_user_tmpfs_files($2)
')

Expand Down
1 change: 1 addition & 0 deletions policy/modules/system/systemd.fc
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ HOME_DIR/\.local/share/systemd(/.*)? gen_context(system_u:object_r:systemd_data
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_runtime_t,s0)
/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_runtime_t,s0)
/run/systemd/shutdown(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
/run/systemd/users(/.*)? gen_context(system_u:object_r:systemd_logind_runtime_t,s0)
/run/systemd/userdb(/.*)? gen_context(system_u:object_r:systemd_userdbd_runtime_t,s0)
/run/systemd/inhibit(/.*)? gen_context(system_u:object_r:systemd_logind_inhibit_runtime_t,s0)
Expand Down
2 changes: 2 additions & 0 deletions policy/modules/system/systemd.te
Original file line number Diff line number Diff line change
Expand Up @@ -901,11 +901,13 @@ dev_setattr_video_dev(systemd_logind_t)

domain_obj_id_change_exemption(systemd_logind_t)

files_check_write_runtime_dirs(systemd_logind_t)
files_read_etc_runtime_files(systemd_logind_t)
files_search_runtime(systemd_logind_t)
# Getattr all shm segments as part of cleaning up the
# segments of deleted ephemeral users.
files_getattr_all_tmpfs_files(systemd_logind_t)
files_rw_runtime_dirs(systemd_logind_t)

fs_getattr_cgroup(systemd_logind_t)
fs_getattr_tmpfs(systemd_logind_t)
Expand Down

0 comments on commit 882830d

Please sign in to comment.