Skip to content

Commit

Permalink
Dontaudit systemd-hwdb dac_override capability
Browse files Browse the repository at this point in the history 
When systemd-hwdb creates the /etc/udev/hwdb.bin file, dac_override
check appears as a result of calling the linkat() syscall.
Despite the AVC, the syscall succeeds and the file is created successfully.
This seems to be caused by kernel checks order which would use
improving, the proper change in kernel may not be easily achieved though.

This commit dontaudits the dac_override capability. Additionally,
a simple workaround is available for environments where it can be used:
sysctl -w fs.protected_hardlinks=0

Related: rhbz#2240221
  • Loading branch information
@zpytela
zpytela committed Nov 15, 2023
1 parent b1374e9 commit 65d5e7c
Showing 1 changed file with 2 additions and 0 deletions.
2 changes: 2 additions & 0 deletions policy/modules/system/systemd.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1190,6 +1190,8 @@ optional_policy(`
#
# systemd_hwdb domain
#
dontaudit systemd_hwdb_t self:capability dac_override;

manage_files_pattern(systemd_hwdb_t, systemd_hwdb_etc_t, systemd_hwdb_etc_t)
allow systemd_hwdb_t systemd_hwdb_etc_t:file {relabelfrom relabelto};
files_etc_filetrans(systemd_hwdb_t, systemd_hwdb_etc_t, file)
Expand Down

0 comments on commit 65d5e7c

Please sign in to comment.