Skip to content

fix: suppress spammy AVC denials from Trivalent reading /proc#1526

Merged
RoyalOughtness merged 2 commits intosecureblue:livefrom
HastD:trivalent-dontaudit
Nov 6, 2025
Merged

fix: suppress spammy AVC denials from Trivalent reading /proc#1526
RoyalOughtness merged 2 commits intosecureblue:livefrom
HastD:trivalent-dontaudit

Conversation

@HastD
Copy link
Copy Markdown
Collaborator

@HastD HastD commented Oct 29, 2025

The Trivalent launch script reads /proc to determine whether an instance of Trivalent is already running, and this results in a bunch of irrelevant SELinux denials from attempting to read other processes' info. This dontaudit rule suppresses those messages.

@HastD HastD requested a review from RoyalOughtness as a code owner October 29, 2025 14:23
@HastD HastD force-pushed the trivalent-dontaudit branch from 112e0b8 to c1c34ec Compare November 5, 2025 16:59
RoyalOughtness
RoyalOughtness previously approved these changes Nov 6, 2025
View reviewed changes
@RoyalOughtness
Copy link
Copy Markdown
Collaborator

RoyalOughtness commented Nov 6, 2025

@HastD


[17:05:18 g.i/s/sericea-main-hardened:pr-1526-43] => Compiling targeted trivalent module
[17:05:18 g.i/s/sericea-main-hardened:pr-1526-43] => trivalent.te:318:ERROR 'unrecognized character' at token ''' on line 20046:
[17:05:18 g.i/s/sericea-main-hardened:pr-1526-43] => '
[17:05:18 g.i/s/sericea-main-hardened:pr-1526-43] => #line 318
[17:05:18 g.i/s/sericea-main-hardened:pr-1526-43] => /usr/bin/checkmodule:  error(s) encountered while parsing configuration
[17:05:18 g.i/s/sericea-main-hardened:pr-1526-43] => make: *** [/usr/share/selinux/devel/include/Makefile:157: tmp/trivalent.mod] Error 1

@HastD
fix: suppress spammy AVC denials from Trivalent reading /proc
5174cf4 
The Trivalent launch script reads `/proc` to determine whether an
instance of Trivalent is already running, and this results in a bunch of
irrelevant SELinux denials from attempting to read other processes'
info. This `dontaudit` rule suppresses those messages.

Signed-off-by: Daniel Hast <[email protected]>
@HastD HastD force-pushed the trivalent-dontaudit branch from c1c34ec to 5174cf4 Compare November 6, 2025 17:25
@HastD HastD requested a review from RoyalOughtness November 6, 2025 17:25
@HastD
Copy link
Copy Markdown
Collaborator Author

HastD commented Nov 6, 2025

@RoyalOughtness Should be fixed now. Apparently .te files are parsed in such a way that ' characters in comments can cause issues in some contexts...

@RoyalOughtness RoyalOughtness enabled auto-merge (squash) November 6, 2025 18:45
@RoyalOughtness RoyalOughtness merged commit a2a5510 into secureblue:live Nov 6, 2025
19 checks passed
@HastD HastD deleted the trivalent-dontaudit branch November 6, 2025 19:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EsseLowNitro EsseLowNitro EsseLowNitro approved these changes

@RoyalOughtness RoyalOughtness RoyalOughtness approved these changes

@RKNF404 RKNF404 RKNF404 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@HastD @RoyalOughtness @EsseLowNitro @RKNF404