opensourcemirror
/
cockpit
mirror of https://github.com/cockpit-project/cockpit.git
1
0
Fork 0
Code Issues Releases Wiki Activity

selinux: Allow cockpit_ws_t to read /sys 

On Fedora 39 we get this rejection:

  avc:  denied  { read } for comm="cockpit-askpass" name="possible" dev="sysfs"
  scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysfs_t:s0

This also happens for "cockpit-beiboot". Our code doesn't directly
access sysfs (at least not /devices/system/cpu/possible), but glibc
does, and Python somehow inherits this.

There is no harm in letting it read sysfs, and it may even be necessary
for hardware based authentication schemas, so allow it.
This commit is contained in:
Martin Pitt 2023-09-28 09:03:45 +02:00 committed by Allison Karlitskaya
parent 97f5dc3c5f
commit acbc460fa0
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
selinux/cockpit.te
View File

@ -42,6 +42,7 @@ allow cockpit_ws_t self:process setrlimit;
allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
kernel_read_system_state(cockpit_ws_t)
dev_read_sysfs(cockpit_ws_t)
# cockpit-tls can execute cockpit-ws
can_exec(cockpit_ws_t,cockpit_ws_exec_t)