Lldpd update #2409
Merged
Lldpd update #2409
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Note this is lldpd, the ISC-licensed implementation of LLDP.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/24/2024 11:34:00.077:694) : proctitle=/usr/sbin/lldpd -x
type=PATH msg=audit(10/24/2024 11:34:00.077:694) : item=0 name=/run/systemd/userdb/io.systemd.Machine inode=1822 dev=00:1a mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(10/24/2024 11:34:00.077:694) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.Machine }
type=SYSCALL msg=audit(10/24/2024 11:34:00.077:694) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x8 a1=0x7fffe83dfa90 a2=0x29 a3=0x55841122f010 items=1 ppid=1 pid=12880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(10/24/2024 11:34:00.077:694) : avc: denied { connectto } for pid=12880 comm=lldpd path=/run/systemd/userdb/io.systemd.Machine scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0
Resolves: RHEL-61634
This permission is required for lldptool to manage the LLDP settings and
status of lldpad from cli.
Note this is for the lldpad daemon from the lldpad package - Intel LLDP Agent.
The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/24/2024 10:30:16.119:1577) : proctitle=/usr/sbin/lldpad -t
type=SOCKADDR msg=audit(10/24/2024 10:30:16.119:1577) : saddr={ saddr_fam=local path=/com/intel/lldpad/19983 }
type=SYSCALL msg=audit(10/24/2024 10:30:16.119:1577) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffe36c70ef0 a2=0x3 a3=0x0 items=0 ppid=1 pid=19351 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(10/24/2024 10:30:16.119:1577) : avc: denied { sendto } for pid=19351 comm=lldpad path=/com/intel/lldpad/19983 scontext=system_u:system_r:lldpad_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0
Resolves: RHEL-40953
Note this is for lldptool and vdptool connecting to the lldpad daemon
from the lldpad package - Intel LLDP Agent.
The commit addresses the following AVC denial example:
type=PROCTITLE msg=audit(10/24/2024 10:22:07.718:854) : proctitle=lldptool -p
type=SOCKADDR msg=audit(10/24/2024 10:22:07.718:854) : saddr={ saddr_fam=local path=/com/intel/lldpad }
type=SYSCALL msg=audit(10/24/2024 10:22:07.718:854) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55c239a95312 a2=0x14 a3=0x0 items=0 ppid=10028 pid=10029 auid=user27128 uid=user27128 gid=user27128 euid=user27128 suid=user27128 fsuid=user27128 egid=user27128 sgid=user27128 fsgid=user27128 tty=pts3 ses=6 comm=lldptool exe=/usr/sbin/lldptool subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/24/2024 10:22:07.718:854) : avc: denied { sendto } for pid=10029 comm=lldptool path=/com/intel/lldpad scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lldpad_t:s0 tclass=unix_dgram_socket permissive=0
Resolves: RHEL-58072
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.