* denied { allowed }
@ 2026-05-23 1:45 Russell Coker
2026-05-23 23:14 ` Christian Göttsche
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2026-05-23 1:45 UTC (permalink / raw)
To: selinux-refpolicy
Why do we have a permission named "allowed"? The syscall is io_uring_setup so
surely "setup" would be a reasonable permission name.
"allowed" gives no indication of what the permission is actually for and
results in confusing log entries and policy.
/var/log/audit/audit.log.1:type=AVC msg=audit(1779420151.752:71961): avc:
denied { allowed } for pid=866175 comm="dig"
scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=io_uring
permissive=0
/var/log/audit/audit.log.1:type=SYSCALL msg=audit(1779420151.752:71961):
arch=c000003e syscall=425 success=no exit=-13 a0=100 a1=7ffc066fd1f0 a2=0 a3=c
items=0 ppid=866150 pid=866175 auid=1027 uid=1027 gid=1028 euid=1027 suid=1027
fsuid=1027 egid=1028 sgid=1028 fsgid=1028 tty=pts1 ses=2320 comm="dig" exe="/
usr/bin/dig" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
key=(null)ARCH=x86_64 SYSCALL=io_uring_setup AUID="yifei" UID="yifei"
GID="yifei" EUID="yifei" SUID="yifei" FSUID="yifei" EGID="yifei" SGID="yifei"
FSGID="yifei"
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: denied { allowed }
2026-05-23 1:45 denied { allowed } Russell Coker
@ 2026-05-23 23:14 ` Christian Göttsche
0 siblings, 0 replies; 2+ messages in thread
From: Christian Göttsche @ 2026-05-23 23:14 UTC (permalink / raw)
To: russell; +Cc: selinux-refpolicy
On Sat, 23 May 2026 at 03:52, Russell Coker <russell@coker.com.au> wrote:
>
> Why do we have a permission named "allowed"? The syscall is io_uring_setup so
> surely "setup" would be a reasonable permission name.
>
> "allowed" gives no indication of what the permission is actually for and
> results in confusing log entries and policy.
I disliked it as well, but was too late [1].
[1]: https://lore.kernel.org/selinux/CAHC9VhRUzr2XpfP5XJpXLxEhYoFvtee8OgEwvib1x7+H7B68Qg@mail.gmail.com/
>
> /var/log/audit/audit.log.1:type=AVC msg=audit(1779420151.752:71961): avc:
> denied { allowed } for pid=866175 comm="dig"
> scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=io_uring
> permissive=0
> /var/log/audit/audit.log.1:type=SYSCALL msg=audit(1779420151.752:71961):
> arch=c000003e syscall=425 success=no exit=-13 a0=100 a1=7ffc066fd1f0 a2=0 a3=c
> items=0 ppid=866150 pid=866175 auid=1027 uid=1027 gid=1028 euid=1027 suid=1027
> fsuid=1027 egid=1028 sgid=1028 fsgid=1028 tty=pts1 ses=2320 comm="dig" exe="/
> usr/bin/dig" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
> key=(null)ARCH=x86_64 SYSCALL=io_uring_setup AUID="yifei" UID="yifei"
> GID="yifei" EUID="yifei" SUID="yifei" FSUID="yifei" EGID="yifei" SGID="yifei"
> FSGID="yifei"
>
> --
> My Main Blog http://etbe.coker.com.au/
> My Documents Blog http://doc.coker.com.au/
>
>
>
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-23 23:14 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-23 1:45 denied { allowed } Russell Coker
2026-05-23 23:14 ` Christian Göttsche
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.