Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #34 from jpichon/bz1732578
Allow Barbican containers to read pki_common_t labels
- Loading branch information
Showing
3 changed files
with
17 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Original file line | Diff line number | Diff line change |
|---|---|---|---|
| @@ -0,0 +1,10 @@ | |||
| policy_module(os-barbican,0.1) | |||
|
|
|||
| gen_require(` | |||
| type container_t; | |||
| type pki_common_t; | |||
| ') | |||
|
|
|||
| # Bugzilla 1732578 | |||
| allow container_t pki_common_t:dir read; | |||
| exec_files_pattern(container_t, pki_common_t, pki_common_t); | |||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Original file line | Diff line number | Diff line change |
|---|---|---|---|
| @@ -0,0 +1,6 @@ | |||
| type=AVC msg=audit(1563895304.208:14480): avc: denied { read } for pid=81224 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0 | |||
| type=AVC msg=audit(1563895442.774:14719): avc: denied { read } for pid=94348 comm="httpd" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c111,c895 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=0 | |||
| type=AVC msg=audit(1563899396.472:17769): avc: denied { read } for pid=382136 comm="barbican-manage" name="libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 | |||
| type=AVC msg=audit(1563899396.472:17769): avc: denied { open } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 | |||
| type=AVC msg=audit(1563899396.472:17770): avc: denied { execute } for pid=382136 comm="barbican-manage" path="/opt/nfast/toolkits/pkcs11/libcknfast.so" dev="vda2" ino=35936420 scontext=system_u:system_r:container_t:s0:c194,c638 tcontext=unconfined_u:object_r:pki_common_t:s0 tclass=file permissive=1 | |||
| type=AVC msg=audit(1563907351.675:23726): avc: denied { read } for pid=960024 comm="ls" name="nfast" dev="vda2" ino=33555398 scontext=system_u:system_r:container_t:s0:c353,c747 tcontext=system_u:object_r:pki_common_t:s0 tclass=dir permissive=0 | |||