Comment 10 for bug 1977873

Revision history for this message
Julie Pichon (jpichon) wrote :

I wonder if perhaps class/type checking was improved and picked up on an existing problem.

Looking at the access vectors, setpgid should have been defined as "class process" [0] but it was mistakenly set to "class capability" [1] like dac_override [2] and setpcap [3].

Once I updated libselinux to the "bad" version, I failed to build neutron. But if I change the definition to "class process setpgid;" it works again.

[0] https://github.com/fedora-selinux/selinux-policy/blob/0846d11/policy/flask/access_vectors#L356
[1] https://github.com/redhat-openstack/openstack-selinux/blob/8d0bf6c851aad1cedcc4b38f1c6fda4c8e62ba81/os-neutron.te#L23
[2] https://github.com/fedora-selinux/selinux-policy/blob/0846d11/policy/flask/access_vectors#L144
[3] https://github.com/fedora-selinux/selinux-policy/blob/0846d11/policy/flask/access_vectors#L151