On 3/11/19 2:53 AM, Dominick Grift wrote:
Russell Coker <russell@xxxxxxxxxxxx> writes:type=AVC msg=audit(1552226284.038:2422): avc: denied { mac_admin } for pid=8289 comm="rsync" capability=33 scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=capability2 permissive=0Its for setting invalid labels. Something you generally want to avoid.
Correct. There used to be a neverallow, but when that was removed, we forgot to remove the comment in access_vectors. It's gone now.
The above is from running rsync with the -X option. $ grep -R mac_admin . ./policy/flask/access_vectors: mac_admin # unused by SELinux ./policy/modules/apps/livecd.te:dontaudit livecd_t self:capability2 mac_admin; Grepping the git policy shows that there's a comment saying it's unused as well as a dontaudit rule indicating that it has been used for some time.
-- Chris PeBenito
