diff mbox series

[meta-selinux,PATCH2/3] systemd-coredum: Added sepolicy permission to read namespace file type=AVC msg=audit(1776766842.302:2875): avc: denied { read open } for pid=6273 comm="systemd-coredum" path="pid:[4026531836]" dev="nsfs" ino=4026531836 scontext=sys

Message ID 20260527083650.1120804-1-gmisra@qti.qualcomm.com
State New
Headers show
Series [meta-selinux,PATCH1/3] refpolicy: Addressing denial seen on alsa to allow write on event dev node | expand

Commit Message

Gargi Misra May 27, 2026, 8:36 a.m. UTC 
Upstream-Status; Merged [ https://github.com/SELinuxProject/refpolicy/pull/1117/changes/75079752d1fb3cd8a394a4c470ec9b1144cec1bd ]

Signed-off-by: Gargi Misra <gmisra@qti.qualcomm.com>
---
 ...Added-sepolicy-permission-to-read-na.patch | 29 +++++++++++++++++++
 .../refpolicy/refpolicy_common.inc            |  1 +
 2 files changed, 30 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy/0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch
diff mbox series

Patch

diff --git a/recipes-security/refpolicy/refpolicy/0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch b/recipes-security/refpolicy/refpolicy/0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch
new file mode 100644
index 0000000..aa6fdc0
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch
@@ -0,0 +1,29 @@ 
+From 099c11e67498afaf28f424ca908ba44dd0c11c3d Mon Sep 17 00:00:00 2001
+From: Gargi Misra <quic_gmisra@quicinc.com>
+Date: Wed, 27 May 2026 13:50:46 +0530
+Subject: [PATCH] systemd-coredum: Added sepolicy permission to read namespace
+ file type=AVC msg=audit(1776766842.302:2875): avc:  denied  { read open } for
+  pid=6273 comm="systemd-coredum" path="pid:[4026531836]" dev="nsfs"
+ ino=4026531836 scontext=system_u:system_r:systemd_coredump_t:s0
+ tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=0
+
+Signed-off-by: Gargi Misra <gmisra@qti.qualcomm.com>
+---
+ policy/modules/system/systemd.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index a18a584f4..1120e719a 100644
+--- a/policy/modules/system/systemd.te
++++ b/policy/modules/system/systemd.te
+@@ -574,6 +574,7 @@ fs_getattr_all_fs(systemd_coredump_t)
+ fs_getattr_nsfs_files(systemd_coredump_t)
+ fs_list_cgroup_dirs(systemd_coredump_t)
+ fs_search_tmpfs(systemd_coredump_t)
++fs_read_nsfs_files(systemd_coredump_t)
+ 
+ init_list_var_lib_dirs(systemd_coredump_t)
+ init_read_state(systemd_coredump_t)
+-- 
+2.43.0
+
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index c43ff03..2a2cc78 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -75,6 +75,7 @@  SRC_URI += " \
         file://0057-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
         file://0058-policy-modules-system-logging-make-syslogd_runtime_t.patch \
         file://0059-refpolicy-Addressing-denial-seen-on-alsa.patch \
+        file://0060-systemd-coredum-Added-sepolicy-permission-to-read-na.patch \
         "
 
 S = "${UNPACKDIR}/refpolicy"