selinux: Allow cockpit_ws_t to read /sys
On Fedora 39 we get this rejection: avc: denied { read } for comm="cockpit-askpass" name="possible" dev="sysfs" scontext=system_u:system_r:cockpit_ws_t:s0 tcontext=system_u:object_r:sysfs_t:s0 This also happens for "cockpit-beiboot". Our code doesn't directly access sysfs (at least not /devices/system/cpu/possible), but glibc does, and Python somehow inherits this. There is no harm in letting it read sysfs, and it may even be necessary for hardware based authentication schemas, so allow it.
This commit is contained in:
parent
97f5dc3c5f
commit
acbc460fa0
|
@ -42,6 +42,7 @@ allow cockpit_ws_t self:process setrlimit;
|
|||
allow cockpit_ws_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
kernel_read_system_state(cockpit_ws_t)
|
||||
dev_read_sysfs(cockpit_ws_t)
|
||||
|
||||
# cockpit-tls can execute cockpit-ws
|
||||
can_exec(cockpit_ws_t,cockpit_ws_exec_t)
|
||||
|
|
Loading…
Reference in New Issue