Update qatlib policy · zpytela/selinux-policy@e0d8f36

Commit

Update qatlib policy

The commit addresses the following AVC denials:
type=PROCTITLE msg=audit(12.12.2023 09:16:26.851:299) : proctitle=/usr/sbin/qatmgr --policy=0
type=SYSCALL msg=audit(12.12.2023 09:16:26.851:299) : arch=x86_64 syscall=ioctl success=yes exit=0 a0=0x5 a1=0x3b69 a2=0x3 a3=0x70000000004 items=0 ppid=1 pid=63688 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qatmgr exe=/usr/sbin/qatmgr subj=system_u:system_r:qatlib_t:s0 key=(null)
type=AVC msg=audit(12.12.2023 09:16:26.851:299) : avc:  denied  { ioctl } for  pid=63688 comm=qatmgr path=/dev/vfio/465 dev="devtmpfs" ino=2030 ioctlcmd=0x3b69 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:vfio_device_t:s0 tclass=chr_file permissive=1

type=PROCTITLE msg=audit(12.12.2023 09:16:31.459:301) : proctitle=/usr/sbin/qatmgr --policy=0
type=PATH msg=audit(12.12.2023 09:16:31.459:301) : item=1 name=(null) inode=3808 dev=00:18 mode=socket,660 ouid=root ogid=qat rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(12.12.2023 09:16:31.459:301) : item=0 name=(null) inode=3633 dev=00:18 mode=dir,755 ouid=root ogid=qat rdev=00:00 obj=system_u:object_r:var_run_t:s0 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(12.12.2023 09:16:31.459:301) : arch=x86_64 syscall=bind success=yes exit=0 a0=0x3 a1=0x7ffdd4804e30 a2=0x6e a3=0x9 items=2 ppid=1 pid=63688 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=qatmgr exe=/usr/sbin/qatmgr subj=system_u:system_r:qatlib_t:s0 key=(null)
type=AVC msg=audit(12.12.2023 09:16:31.459:301) : avc:  denied  { create } for  pid=63688 comm=qatmgr name=qatmgr.sock scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=sock_file permissive=1

type=PROCTITLE msg=audit(12/12/23 18:36:06.978:95) : proctitle=lspci
type=SYSCALL msg=audit(12/12/23 18:36:06.978:95) : arch=x86_64 syscall=pread success=yes exit=64 a0=0x3 a1=0x556bd3454480 a2=0x40 a3=0x0 items=0 ppid=4835 pid=4836 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=lspci exe=/usr/sbin/lspci subj=system_u:system_r:qatlib_t:s0 key=(null)
type=AVC msg=audit(12/12/23 18:36:06.978:95) : avc:  denied  { sys_admin } for  pid=4836 comm=lspci capability=sys_admin  scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:qatlib_t:s0 tclass=capability permissive=0

type=PROCTITLE msg=audit(12/12/23 18:36:06.999:563) : proctitle=lspci
type=SYSCALL msg=audit(12/12/23 18:36:06.999:563) : arch=x86_64 syscall=openat success=no exit=EACCES(Permission denied) a0=AT_FDCWD a1=0x7f57b0e408bc a2=O_RDONLY a3=0x0 items=0 ppid=4835 pid=4836 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=lspci exe=/usr/sbin/lspci subj=system_u:system_r:qatlib_t:s0 key=(null)
type=AVC msg=audit(12/12/23 18:36:06.999:563) : avc:  denied  { search } for  pid=4836 comm=lspci name=hwdata dev="dm-0" ino=650 scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:object_r:hwdata_t:s0 tclass=dir permissive=0

type=PROCTITLE msg=audit(12/13/2023 21:34:36.206:180) : proctitle=modprobe vfio-pci
type=SYSCALL msg=audit(12/13/2023 21:34:36.206:180) : arch=x86_64 syscall=init_module success=no exit=EPERM(Operation not permitted) a0=0x562e3f4413e0 a1=0x22478 a2=0x562e3dacb962 a3=0x5 items=0 ppid=6527 pid=6531 auid=unset uid=root gid=qat euid=root suid=root fsuid=root egid=qat sgid=qat fsgid=qat tty=(none) ses=unset comm=modprobe exe=/usr/bin/kmod subj=system_u:system_r:qatlib_t:s0 key=(null)
type=AVC msg=audit(12/13/2023 21:34:36.206:180) : avc:  denied  { sys_module } for  pid=6531 comm=modprobe capability=sys_module  scontext=system_u:system_r:qatlib_t:s0 tcontext=system_u:system_r:qatlib_t:s0 tclass=capability permissive=0

Resolves: RHEL-17947

Loading branch information

zpytela committed Dec 15, 2023

1 parent f442292 commit e0d8f36

policy/modules/contrib/qatlib.te

-Original file line number
+Diff line change
@@ Expand Up / @@ -22,6 +22,7 @@ files_pid_file(qatlib_var_run_t) @@
     #
     # qatlib local policy
     #
+    allow qatlib_t self:capability { sys_admin sys_module };
     allow qatlib_t self:fifo_file rw_fifo_file_perms;
     allow qatlib_t self:system module_load;
     allow qatlib_t self:unix_stream_socket create_stream_socket_perms;
@@ Expand All / @@ -33,7 +34,8 @@ list_dirs_pattern(qatlib_t, qatlib_conf_t, qatlib_conf_t) @@
     manage_dirs_pattern(qatlib_t, qatlib_var_run_t, qatlib_var_run_t)
     manage_files_pattern(qatlib_t, qatlib_var_run_t, qatlib_var_run_t)
-    files_pid_filetrans(qatlib_t, qatlib_var_run_t, { dir file } )
+    manage_sock_files_pattern(qatlib_t, qatlib_var_run_t, qatlib_var_run_t)
+    files_pid_filetrans(qatlib_t, qatlib_var_run_t, { dir file sock_file } )
     kernel_read_proc_files(qatlib_t)
     kernel_request_load_module(qatlib_t)
@@ Expand All / @@ -43,6 +45,7 @@ corecmd_exec_bin(qatlib_t) @@
     dev_create_sysfs_files(qatlib_t)
     dev_rw_sysfs(qatlib_t)
+    dev_rw_vfio_dev(qatlib_t)
     dev_setattr_generic_dirs(qatlib_t)
     domain_use_interactive_fds(qatlib_t)
@@ Expand All / @@ -54,6 +57,7 @@ optional_policy(` @@
     ')
     optional_policy(`
+    	miscfiles_read_hwdata(qatlib_t)
     	miscfiles_read_localization(qatlib_t)
     ')
@@ Expand Down @@

0 comments on commit `e0d8f36`

Please sign in to comment.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `e0d8f36`

Commit

There are no files selected for viewing

0 comments on commit e0d8f36

0 comments on commit `e0d8f36`