Skip to content

Commit

Permalink
Allow apcupsd cgi scripts read /sys
Browse files Browse the repository at this point in the history
In particular, reading the /sys/devices/system/cpu/possible file
was requested.

The commit addresses the following AVC denials:
type=AVC msg=audit(1696352910.805:100420): avc:  denied  { read } for  pid=1542297 comm="upsimage.cgi" name="possible" dev="sysfs" ino=42 scontext=system_u:system_r:apcupsd_cgi_script_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0

Resolves: rhbz#2242120
  • Loading branch information
zpytela committed Oct 9, 2023
1 parent 39896a0 commit c3eaa4e
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions policy/modules/contrib/apcupsd.te
Original file line number Diff line number Diff line change
Expand Up @@ -156,5 +156,7 @@ optional_policy(`
corenet_udp_sendrecv_generic_node(apcupsd_cgi_script_t)
corenet_udp_sendrecv_all_ports(apcupsd_cgi_script_t)

dev_read_sysfs(apcupsd_cgi_script_t)

sysnet_dns_name_resolve(apcupsd_cgi_script_t)
')

0 comments on commit c3eaa4e

Please sign in to comment.