Skip to content

Commit 78f8b23

Browse files
dsugar100dsugar100
committed
fapolicyd: fix issue with tmpfs_t write
Update to RHEL 9.8, now fapolicyd_t (which is starting /usr/bin/fapolicyd-rpm-loader) now is writing to memfs:rpm_snapshot Chnages to include transition to fapolicyd_tmpfs_t for this memfd node=localhost type=PROCTITLE msg=audit(05/28/2026 14:28:47.058:362): proctitle=fapolicyd-rpm-loader node=localhost type=SYSCALL msg=audit(05/28/2026 14:28:47.058:362): arch=x86_64 syscall=write success=no exit=EACCES(Permission denied) a0=0x4 a1=0x55f492F86720 a2=0x7d a3=0x7f1e99b1c20 items=0 ppid=4500 pid=4501 auid=unset uid=fapolicyd gid=fapolicyd euid=fapolicyd suid=fapolicyd fsuid=fapolicyd egid=fapolicyd sgid=fapolicyd fsgid=fapolicyd tty=(none) ses=unset comm=fapolicyd-rpm-l exe=/usr/bin/fapolicyd-rpm-loader subj=system_u:system_r:fapolicyd_t:s0 key=(null) node=localhost type=AVC msg=audit(05/28/2026 14:28:47,058:362): avc: denied { write } for pid=4501 comm=fapolicyd-rpm-l path=/memfd:rpm_snapshot (deleted) dev="tmpfs" ino=2048 scontext=system_u:object_r:fapolicyd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>
1 parent 9db69e4 commit 78f8b23

1 file changed

Lines changed: 5 additions & 0 deletions

File tree

policy/modules/admin/fapolicyd.te

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,9 @@ logging_log_file(fapolicyd_log_t)
3838
type fapolicyd_runtime_t;
3939
files_runtime_file(fapolicyd_runtime_t)
4040

41+
type fapolicyd_tmpfs_t;
42+
files_tmpfs_file(fapolicyd_tmpfs_t)
43+
4144
type fagenrules_tmp_t;
4245
files_tmp_file(fagenrules_tmp_t)
4346

@@ -58,6 +61,7 @@ allow fapolicyd_t self:process { setcap setsched };
5861

5962
allow fapolicyd_t fapolicyd_log_t:file { create_file_perms write_file_perms };
6063
allow fapolicyd_t fapolicyd_runtime_t:dir setattr_dir_perms;
64+
allow fapolicyd_t fapolicyd_tmpfs_t:file write_inherited_file_perms;
6165

6266
manage_fifo_files_pattern(fapolicyd_t, fapolicyd_runtime_t, fapolicyd_runtime_t)
6367
manage_files_pattern(fapolicyd_t, fapolicyd_runtime_t, fapolicyd_runtime_t)
@@ -83,6 +87,7 @@ files_watch_all_mount_perm(fapolicyd_t)
8387
files_watch_all_mount_sb(fapolicyd_t)
8488

8589
fs_getattr_xattr_fs(fapolicyd_t)
90+
fs_tmpfs_filetrans(fapolicyd_t, fapolicyd_tmpfs_t, file)
8691
fs_watch_all_fs(fapolicyd_t)
8792

8893
logging_log_filetrans(fapolicyd_t, fapolicyd_log_t, file)

0 commit comments

Comments
 (0)