$ grub2-mkconfig -o /boot/grub/grub.cfg
/usr/sbin/grub2-probe: error: cannot restore the original directory.
Most users/admins call grub2-mkconfig from their home directory, so grant it search rights on the home directory (but no more).
type=AVC msg=audit(1486280243.141:685): avc: denied { getattr } for pid=24648 comm="30_os-prober" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.141:686): avc: denied { search } for pid=24648 comm="30_os-prober" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.165:687): avc: denied { getattr } for pid=24652 comm="40_custom" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.165:688): avc: denied { search } for pid=24652 comm="40_custom" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.175:689): avc: denied { getattr } for pid=24653 comm="41_custom" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.175:690): avc: denied { search } for pid=24653 comm="41_custom" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1486280243.188:691): avc: denied { search } for pid=24578 comm="grub-mkconfig" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
Gentoo-Bug: https://bugs.gentoo.org/537652
---
policy/modules/admin/bootloader.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
index 39b1d9e..42a8b6d 100644
--- a/policy/modules/admin/bootloader.te
+++ b/policy/modules/admin/bootloader.te
@@ -131,7 +131,7 @@ seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
userdom_use_user_terminals(bootloader_t)
-userdom_dontaudit_search_user_home_dirs(bootloader_t)
+userdom_search_user_home_dirs(bootloader_t)
ifdef(`distro_debian',`
allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
--
2.10.2
On 02/27/17 06:22, Jason Zaman wrote:
> $ grub2-mkconfig -o /boot/grub/grub.cfg
> /usr/sbin/grub2-probe: error: cannot restore the original directory.
>
> Most users/admins call grub2-mkconfig from their home directory, so grant it search rights on the home directory (but no more).
>
> type=AVC msg=audit(1486280243.141:685): avc: denied { getattr } for pid=24648 comm="30_os-prober" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1486280243.141:686): avc: denied { search } for pid=24648 comm="30_os-prober" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1486280243.165:687): avc: denied { getattr } for pid=24652 comm="40_custom" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1486280243.165:688): avc: denied { search } for pid=24652 comm="40_custom" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1486280243.175:689): avc: denied { getattr } for pid=24653 comm="41_custom" path="/root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1486280243.175:690): avc: denied { search } for pid=24653 comm="41_custom" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
> type=AVC msg=audit(1486280243.188:691): avc: denied { search } for pid=24578 comm="grub-mkconfig" name="root" dev="sda" ino=1179649 scontext=staff_u:sysadm_r:bootloader_t:s0-s0:c0.c1023 tcontext=root:object_r:user_home_dir_t:s0 tclass=dir permissive=0
>
> Gentoo-Bug: https://bugs.gentoo.org/537652
> ---
> policy/modules/admin/bootloader.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/admin/bootloader.te b/policy/modules/admin/bootloader.te
> index 39b1d9e..42a8b6d 100644
> --- a/policy/modules/admin/bootloader.te
> +++ b/policy/modules/admin/bootloader.te
> @@ -131,7 +131,7 @@ seutil_read_loadpolicy(bootloader_t)
> seutil_dontaudit_search_config(bootloader_t)
>
> userdom_use_user_terminals(bootloader_t)
> -userdom_dontaudit_search_user_home_dirs(bootloader_t)
> +userdom_search_user_home_dirs(bootloader_t)
>
> ifdef(`distro_debian',`
> allow bootloader_t bootloader_tmp_t:{ dir file } { relabelfrom relabelto };
Does it break without this access? Otherwise I don't have a problem
with grub itself complaining.
--
Chris PeBenito
On 02/27/17 06:22, Jason Zaman wrote:
> ---
> policy/modules/system/authlogin.te | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index ba80a37..dd0cd5d 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -87,7 +87,8 @@ logging_log_file(wtmp_t)
>
> optional_policy(`
> systemd_tmpfilesd_managed(faillog_t, file)
> -') systemd_tmpfilesd_managed(var_auth_t, dir)
> + systemd_tmpfilesd_managed(var_auth_t, dir)
> +')
>
> ########################################
> #
>
Merged.
--
Chris PeBenito
---
policy/modules/system/authlogin.te | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index ba80a37..dd0cd5d 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -87,7 +87,8 @@ logging_log_file(wtmp_t)
optional_policy(`
systemd_tmpfilesd_managed(faillog_t, file)
-') systemd_tmpfilesd_managed(var_auth_t, dir)
+ systemd_tmpfilesd_managed(var_auth_t, dir)
+')
########################################
#
--
2.10.2