Allow wdmd read hardware state information #2059
Merged
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The previous 12885bb ("Allow wdmd list the contents of the sysfs directories") commit was not sufficient as apart from reading the /sys/class/watchdog/watchdog0 symlink, reading the /sys/class/watchdog/watchdog0/identity file is also needed.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(02/26/2024 09:44:20.607:565) : proctitle=/usr/sbin/wdmd --probe type=PATH msg=audit(02/26/2024 09:44:20.607:565) : item=0 name=/sys/class/watchdog/watchdog0/identity inode=14577 dev=00:14 mode=file,444 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:sysfs_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=SYSCALL msg=audit(02/26/2024 09:44:20.607:565) : arch=s390x syscall=openat success=yes exit=4 a0=AT_FDCWD a1=0x3ffde0f91a8 a2=O_RDONLY a3=0x0 items=1 ppid=46918 pid=46920 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=wdmd exe=/usr/sbin/wdmd subj=system_u:system_r:wdmd_t:s0 key=(null) type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { open } for pid=46920 comm=wdmd path=/sys/devices/virtual/watchdog/watchdog0/identity dev="sysfs" ino=14577 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { read } for pid=46920 comm=wdmd name=identity dev="sysfs" ino=14577 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=1 type=AVC msg=audit(02/26/2024 09:44:20.607:565) : avc: denied { read } for pid=46920 comm=wdmd name=watchdog0 dev="sysfs" ino=14575 scontext=system_u:system_r:wdmd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=lnk_file permissive=1
Resolves: RHEL-26663