Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix avc denial for dbus-broker #1434

Merged
merged 2 commits into from
Apr 1, 2021
Merged

fix avc denial for dbus-broker #1434

merged 2 commits into from
Apr 1, 2021

Conversation

bcressey
Copy link
Contributor

Issue number:
Fixes #1364.

Description of changes:
Allows dbus-broker to query systemd for job status.

Testing done:
Built aws-dev and ran it under KVM, no AVC denials logged.

Built aws-k8s-1.18 and it joined a cluster, brought up pods, no AVC denials logged.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

bcressey added 2 commits March 31, 2021 21:02
@bcressey
dbus-broker: update to 28
6c122c7 
Signed-off-by: Ben Cressey <[email protected]>
@bcressey
selinux-policy: allow dbus-broker to query systemd
6598c3c 
Starting in version 27, dbus-broker attempts to listen to JobRemoved
signals using the systemd API, which requires additional permissions.

Signed-off-by: Ben Cressey <[email protected]>
@bcressey bcressey requested review from tjkirch and arnaldo2792 March 31, 2021 22:35
@bcressey
Copy link
Contributor Author

I updated to version 28 to make sure we wouldn't need another policy fix when we updated.

arnaldo2792
arnaldo2792 approved these changes Apr 1, 2021
View reviewed changes
Copy link
Contributor

@arnaldo2792 arnaldo2792 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥇

@bcressey bcressey merged commit e04cdf5 into bottlerocket-os:develop Apr 1, 2021
@bcressey bcressey deleted the dbus-broker-avc branch April 1, 2021 21:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tjkirch tjkirch tjkirch approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

@arnaldo2792 arnaldo2792 arnaldo2792 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

avc denial for dbus-broker
4 participants
@bcressey @tjkirch @samuelkarp @arnaldo2792