Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lldpd update #2409

Merged
merged 3 commits into from
Oct 24, 2024
Merged

Lldpd update #2409

merged 3 commits into from
Oct 24, 2024

Commits on Oct 24, 2024

  1. Allow lldpd connect to systemd-machined over a unix socket 

    Note this is lldpd, the ISC-licensed implementation of LLDP.

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/24/2024 11:34:00.077:694) : proctitle=/usr/sbin/lldpd -x
type=PATH msg=audit(10/24/2024 11:34:00.077:694) : item=0 name=/run/systemd/userdb/io.systemd.Machine inode=1822 dev=00:1a mode=socket,666 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:systemd_userdbd_runtime_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SOCKADDR msg=audit(10/24/2024 11:34:00.077:694) : saddr={ saddr_fam=local path=/run/systemd/userdb/io.systemd.Machine }
type=SYSCALL msg=audit(10/24/2024 11:34:00.077:694) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x8 a1=0x7fffe83dfa90 a2=0x29 a3=0x55841122f010 items=1 ppid=1 pid=12880 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpd exe=/usr/sbin/lldpd subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(10/24/2024 11:34:00.077:694) : avc:  denied  { connectto } for  pid=12880 comm=lldpd path=/run/systemd/userdb/io.systemd.Machine scontext=system_u:system_r:lldpad_t:s0 tcontext=system_u:system_r:systemd_machined_t:s0 tclass=unix_stream_socket permissive=0

Resolves: RHEL-61634
    @zpytela
    zpytela committed Oct 24, 2024
    Configuration menu
    Copy the full SHA
    f43ebe5 View commit details
    Browse the repository at this point in the history

  2. Allow lldpad send to unconfined_t over a unix dgram socket 

    This permission is required for lldptool to manage the LLDP settings and
status of lldpad from cli.
Note this is for the lldpad daemon from the lldpad package - Intel LLDP Agent.

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/24/2024 10:30:16.119:1577) : proctitle=/usr/sbin/lldpad -t
type=SOCKADDR msg=audit(10/24/2024 10:30:16.119:1577) : saddr={ saddr_fam=local path=/com/intel/lldpad/19983 }
type=SYSCALL msg=audit(10/24/2024 10:30:16.119:1577) : arch=x86_64 syscall=sendto success=no exit=EACCES(Permission denied) a0=0x3 a1=0x7ffe36c70ef0 a2=0x3 a3=0x0 items=0 ppid=1 pid=19351 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=lldpad exe=/usr/sbin/lldpad subj=system_u:system_r:lldpad_t:s0 key=(null)
type=AVC msg=audit(10/24/2024 10:30:16.119:1577) : avc:  denied  { sendto } for  pid=19351 comm=lldpad path=/com/intel/lldpad/19983 scontext=system_u:system_r:lldpad_t:s0 tcontext=sysadm_u:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=unix_dgram_socket permissive=0

Resolves: RHEL-40953
    @zpytela
    zpytela committed Oct 24, 2024
    Configuration menu
    Copy the full SHA
    364d626 View commit details
    Browse the repository at this point in the history

  3. Allow some confined users send to lldpad over a unix dgram socket 

    Note this is for lldptool and vdptool connecting to the lldpad daemon
from the lldpad package - Intel LLDP Agent.

The commit addresses the following AVC denial example:
type=PROCTITLE msg=audit(10/24/2024 10:22:07.718:854) : proctitle=lldptool -p
type=SOCKADDR msg=audit(10/24/2024 10:22:07.718:854) : saddr={ saddr_fam=local path=/com/intel/lldpad }
type=SYSCALL msg=audit(10/24/2024 10:22:07.718:854) : arch=x86_64 syscall=connect success=no exit=EACCES(Permission denied) a0=0x3 a1=0x55c239a95312 a2=0x14 a3=0x0 items=0 ppid=10028 pid=10029 auid=user27128 uid=user27128 gid=user27128 euid=user27128 suid=user27128 fsuid=user27128 egid=user27128 sgid=user27128 fsgid=user27128 tty=pts3 ses=6 comm=lldptool exe=/usr/sbin/lldptool subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null)
type=AVC msg=audit(10/24/2024 10:22:07.718:854) : avc:  denied  { sendto } for  pid=10029 comm=lldptool path=/com/intel/lldpad scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:system_r:lldpad_t:s0 tclass=unix_dgram_socket permissive=0

Resolves: RHEL-58072
    @zpytela
    zpytela committed Oct 24, 2024
    Configuration menu
    Copy the full SHA
    dd744e3 View commit details
    Browse the repository at this point in the history