Hi,
I'm intern from SElinux team at Red Hat and I write new SElinux policy for
your service, because the service doesnt have policy.
Here I send how look SElinux denial:
type=AVC msg=audit(1565874853.606:832): avc: denied { sys_admin } for
pid=9046 comm="stratisd" capability=21
scontext=system_u:system_r:stratisd_t:s0
tcontext=system_u:system_r:stratisd_t:s0 tclass=capability permissive=0
It means that process stratisd require sysadmin capability.
man capabilities:
For the purpose of performing permission checks, traditional UNIX
implementations dis‐
tinguish two categories of processes: privileged processes (whose effective
user ID is
0, referred to as superuser or root), and unprivileged processes (whose
effective UID is
nonzero). Privileged processes bypass all kernel permission checks, while
unprivileged
processes are subject to full permission checking based on the
process's credentials
(usually: effective UID, effective GID, and supplementary group list).
Sysadmin capability:
* Perform a range of system administration operations
including: quotactl(2),
mount(2), umount(2), swapon(2), swapoff(2),
sethostname(2), and setdomain‐
name(2);
* perform privileged syslog(2) operations (since Linux
2.6.37, CAP_SYSLOG should
be used to permit such operations);
* perform VM86_REQUEST_IRQ vm86(2) command;
* perform IPC_SET and IPC_RMID operations on arbitrary System
V IPC objects;
* override RLIMIT_NPROC resource limit;
* perform operations on trusted and security Extended
Attributes (see xattr(7));
* use lookup_dcookie(2);
* use ioprio_set(2) to assign IOPRIO_CLASS_RT and
(before Linux 2.6.25)
IOPRIO_CLASS_IDLE I/O scheduling classes;
* forge PID when passing socket credentials via UNIX domain
sockets;
* exceed /proc/sys/fs/file-max, the system-wide limit on
the number of open
files, in system calls that open files (e.g., accept(2),
execve(2), open(2),
pipe(2));
* employ CLONE_* flags that create new namespaces with
clone(2) and unshare(2)
(but, since Linux 3.8, creating user namespaces does not
require any capabil‐
ity);
* call perf_event_open(2);
* access privileged perf event information;
* call setns(2) (requires CAP_SYS_ADMIN in the target
namespace);
* call fanotify_init(2);
* call bpf(2);
* perform privileged KEYCTL_CHOWN and KEYCTL_SETPERM
keyctl(2) operations;
* perform madvise(2) MADV_HWPOISON operation;
* employ the TIOCSTI ioctl(2) to insert characters into the
input queue of a ter‐
minal other than the caller's controlling terminal;
* employ the obsolete nfsservctl(2) system call;
* employ the obsolete bdflush(2) system call;
* perform various privileged block-device ioctl(2) operations;
* perform various privileged filesystem ioctl(2) operations;
* perform privileged ioctl(2) operations on the /dev/random
device (see ran‐
dom(4));
* install a seccomp(2) filter without first having to set the
no_new_privs thread
attribute;
* modify allow/deny rules for device control groups;
* employ the ptrace(2) PTRACE_SECCOMP_GET_FILTER operation to
dump tracee's seccomp filters;
* employ the ptrace(2) PTRACE_SETOPTIONS operation to
suspend the tracee's seccomp protections (i.e., the
PTRACE_O_SUSPEND_SECCOMP flag);
* perform administrative operations on many device drivers.
Need stratisd service one of these operations?
Thanks,
Patrik
--
Patrik Koncity
Intern, Security Technologies
Red Hat, Inc. <https://www.redhat.com/>
<https://www.redhat.com/>