From: Dominick Grift <dac.override@gmail.com>
To: Ian Pilcher <arequipeno@gmail.com>
Cc: selinux@vger.kernel.org, Systemd <systemd-devel@lists.freedesktop.org>
Subject: Re: [systemd SELinux] system status permission
Date: Mon, 7 Oct 2019 18:51:57 +0200 [thread overview]
Message-ID: <20191007165157.GC1088825@brutus.lan> (raw)
In-Reply-To: <ae9ac0bb-0354-4d5a-fce7-dfc37481f439@gmail.com>
[-- Attachment #1: Type: text/plain, Size: 2097 bytes --]
On Mon, Oct 07, 2019 at 11:03:44AM -0500, Ian Pilcher wrote:
> I am hitting this (non-fatal) denial when reloading a service via the
> systemd dbus API:
>
> > type=USER_AVC msg=audit(1570462081.809:743): pid=1 uid=0
> > auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0
> > msg='avc: denied { status } for auid=n/a uid=0 gid=1001
> > cmdline="/usr/bin/python2 /usr/local/bin/test.py"
> > scontext=system_u:system_r:denatc_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=system
> > exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
> https://selinuxproject.org/page/NB_ObjectClassesPermissions defines this
> permission as "Get system status information," which isn't particularly
> helpful.
>
> Ultimately, I need to decide whether to allow or "dontaudit" this
> denial, so any information/pointers on what systemd is doing here and
> what functionality I will lose if I dontaudit this denial would be
> appreciated.
Not sure but this is my best bet:
Generally, i think, its about "getting" information from systemd1, as opposed to setting things.
Stuff like: introspection, getting info about objects it manages, about it's properties.
Theres a lot of "status information" to be gotten I guess. Introspect systemd1 to see what all is there.
But if you reload a unit, I gather, you might get some status information about it from systemd1.
I guess you can probably see the methods that are being invoked if you set the systemd loglevel to debug
systemd-analyze log-level debug && systemctl reload foo && journalctl -rb
>
> Thanks!
>
> --
> ========================================================================
> Ian Pilcher arequipeno@gmail.com
> -------- "I grew up before Mark Zuckerberg invented friendship" --------
> ========================================================================
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]
next prev parent reply other threads:[~2019-10-07 16:52 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-07 16:03 [systemd SELinux] system status permission Ian Pilcher
2019-10-07 16:51 ` Dominick Grift [this message]
2019-10-07 17:09 ` Dominick Grift
2019-10-07 18:31 ` Ian Pilcher
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191007165157.GC1088825@brutus.lan \
--to=dac.override@gmail.com \
--cc=arequipeno@gmail.com \
--cc=selinux@vger.kernel.org \
--cc=systemd-devel@lists.freedesktop.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).