Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Allow polkit-agent-helper-1 read logind sessions files
This permission si required to open and read files in /run/systemd/sessions when user is mapped to a confined SELinux user. The following AVC denial is addressed: type=PROCTITLE msg=audit(8.3.2021 19:34:41.769:1086) : proctitle=/usr/lib/polkit-1/polkit-agent-helper-1 user type=PATH msg=audit(8.3.2021 19:34:41.769:1086) : item=0 name=/run/systemd/sessions/2 inode=1964 dev=00:1a mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_logind_sessions_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(8.3.2021 19:34:41.769:1086) : cwd=/home/user type=SYSCALL msg=audit(8.3.2021 19:34:41.769:1086) : arch=x86_64 syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x55be759ef6a0 a2=O_RDONLY|O_CLOEXEC a3=0x0 items=1 ppid=1883 pid=43807 auid=user uid=user gid=user euid=root suid=root fsuid=root egid=user sgid=user fsgid=user tty=(none) ses=2 comm=polkit-agent-he exe=/usr/lib/polkit-1/polkit-agent-helper-1 subj=staff_u:staff_r:policykit_auth_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(8.3.2021 19:34:41.769:1086) : avc: denied { open } for pid=43807 comm=polkit-agent-he path=/run/systemd/sessions/2 dev="tmpfs" ino=1964 scontext=staff_u:staff_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file permissive=1 type=AVC msg=audit(8.3.2021 19:34:41.769:1086) : avc: denied { read } for pid=43807 comm=polkit-agent-he name=2 dev="tmpfs" ino=1964 scontext=staff_u:staff_r:policykit_auth_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_logind_sessions_t:s0 tclass=file permissive=1
- Loading branch information