On Thu, Jan 09, 2020 at 04:06:38PM -0500, Chris PeBenito wrote:
> I'd like to refine how the policy handles systemd's mounton so that it works
> similar to how we manage mountpoints for mount_t. Since systemd can be made
> to mount over just about anything, I'm looking at adding a new conditional
> that would allow init_t to mounton non_security_file_type, and then an
> interface like files_mountpoint().
> 
> The question is for the implementation of the interface; I see two options,
> either the interface allows mounton for all file-like classes, or the
> classes are specified as a parameter:
> 
> --------
> init.te:
> attribute init_mountpoint_type;
> allow init_t init_mountpoint_type:dir_file_class_set mounton;
> 
> init.if:
> interface(`init_mountpoint',`
> typeattribute $1 init_mountpoint_type;
> ')
> --------
> 
> or
> 
> --------
> init.if:
> interface(`init_mountpoint',`
> allow init_t $1:$2 mounton;
> ')
> --------
> 
> I like the first option because it is clearer since you can see the mounton
> in init.te, but that is excessive access.  The second option could be made
> to look like the first option, but it would need several attributes and
> interfaces, e.g. init_dir_mountpoint_type, init_file_mountpoint_type, etc.
> which isn't so desirable.
> 
> Any thoughts on this?

I implemented the former in my policy. ie the dir_file_class_set equiv..

4163               (allow subj bind_path_obj_type_attribute (dirs (create)))
4164               (allow subj bind_path_obj_type_attribute list_dir_perms)
4165               (allow subj bind_path_obj_type_attribute (dir (mounton)))
4166               (allow subj bind_path_obj_type_attribute create_file_perms)
4167               (allow subj bind_path_obj_type_attribute (file (mounton)))

As you can see i even allow systemd to create the mountpoint in case it does not exist. For example if /etc/machine-id does not exist and I have a BindReadOnlyPath=/etc/machine-id then systemd will touch /etc/machine-id and mount it ro

It also generally buggy. Systemd does not (alway's) use setfscreatecon to create the mountpoints. And sometimes it does use setfscreatecon where it shouldnt.

https://github.com/systemd/systemd/issues/13762

> 
> -- 
> Chris PeBenito

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift