Allow fstab generator dac_read_search capability #2136
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Cockpit tests failed for commit 830b0d2. @martinpitt, @jelly, @mvollmer please check. |
|
Cockpit tests failed for commit e1e3db2. @martinpitt, @jelly, @mvollmer please check. |
|
The Cockpit tests started to fail due to a tricky udisks2 regression in rawhide. We are investigating in cockpit-project/cockpit#20520 ASAP. In the meantime, please ignore the TestStorageAnaconda failures. Sorry for the noise! |
|
What an odyssey -- we finally found the root cause and worked around it. @zpytela I restarted the failing tests in the recent PRs. |
|
ah dang -- needs #2138 first, as I also reorganized the test plans. After that lands, I'll re-run all the failed PRs. |
The dac_override capability has already been allowed, so it makes
sense to allow dac_read_search, too, as the latter one is actually
the first one checked by kernel.
The commit addresses the following AVC denial:
type=AVC msg=audit(1716307981.986:354): avc: denied { dac_read_search } for pid=12422 comm="systemd-fstab-g" capability=2 scontext=system_u:system_r:systemd_fstab_generator_t:s0 tcontext=system_u:system_r:systemd_fstab_generator_t:s0 tclass=capability permissive=0
|
Addressed by #2136 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The dac_override capability has already been allowed, so it makes sense to allow dac_read_search, too, as the latter one is actually the first one checked by kernel.