From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=1BBJ=4P=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS
	autolearn=no autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 5FF8FC4BA3B
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 27 Feb 2020 12:20:55 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 2E1582468E
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 27 Feb 2020 12:20:55 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZLIKEZWD"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728994AbgB0MUz (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Thu, 27 Feb 2020 07:20:55 -0500
Received: from mail-wm1-f47.google.com ([209.85.128.47]:53818 "EHLO
        mail-wm1-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1728946AbgB0MUy (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 27 Feb 2020 07:20:54 -0500
Received: by mail-wm1-f47.google.com with SMTP id f15so3314898wml.3
        for <selinux-refpolicy@vger.kernel.org>; Thu, 27 Feb 2020 04:20:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:references:date:in-reply-to:message-id
         :user-agent:mime-version;
        bh=94iUl4Uh+xv/rV1L2GkOgglZT0aathk6m5UKSiQY3lk=;
        b=ZLIKEZWDmS5kpnDegYPwp7WBw8+tY6c4ZFKYLmJe4FgI62iLifyLZMUC4vrPt0iEjv
         8xo8LrU8tPu/IxCbdoyHOD0AT/88uOGZCyqio09siPJvRNolmNtwLRulopvR9Po7AviH
         uzfeNHV1dGXNzFU6Bbb4iXg+l4Pz5v9ZZSkUkFBoxbNYql6CAerlT5F/nuP7b3uHenT8
         r1CW7uu5hKB045tkRkLujAVqNDZ44l0IDwqXGYeCm9UH9poPN4AeCHZLOKKKqqnWdI5F
         RnXN5hXKfJa8mlOyJh75N4Xk8sYGRkoMnUTX0UsLfYOJdPZ5rdvYgjMVNSkeiDRfP2oU
         hq4A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
         :message-id:user-agent:mime-version;
        bh=94iUl4Uh+xv/rV1L2GkOgglZT0aathk6m5UKSiQY3lk=;
        b=XTqhf9SlKTrThpP/LAowDN1GlLuOCK2dRxB+KEfKZZS5yhUektH+l9tnSa/wJVvULG
         wP9JI7rEy1Ez8/NXltAxxfJj6E6tkP9+Ux5OQc95BNAY3pfeDTJGxu/idV7eAfuhq1AU
         dltH/xkGv8eNmJDlwTufN7dRg0NXUaFGIY8T5pl5sG/WWspSIxECVlFmozq6CxdUwvcG
         kPFQucd7tQ8X7Piv4u/H0qWhm4SKYKXQTMVX5/h8VIymevV7549JW3W4h0afO+jts/qZ
         e0Xd5fC6f3caQLKCog7ojL9SW9C47Ion3Lt4dE9hUca3Sa67TlNB8mwGaWfPwsHWjaIy
         aSUg==
X-Gm-Message-State: APjAAAWGbAVHl+W/mD1EPuFI6qJ6Mu44PRr1dnDAp3eVc+hlfti9ct/H
        A9wg+oJnj+B0Xite3FQSMGit1t2N
X-Google-Smtp-Source: APXvYqyR7eDMfVrLT6zQl7w/TCuvYfU2/54beajq8q6t0d2XYoCO8PCaOFOzX11LwHaL7txvABw/ZQ==
X-Received: by 2002:a05:600c:228f:: with SMTP id 15mr5322527wmf.56.1582806052377;
        Thu, 27 Feb 2020 04:20:52 -0800 (PST)
Received: from brutus (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id n2sm8058716wro.96.2020.02.27.04.20.50
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 27 Feb 2020 04:20:51 -0800 (PST)
From:   Dominick Grift <dac.override@gmail.com>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: /run/systemd/inaccessible
References: <6385652.IY5x3zMeex@xev>
Date:   Thu, 27 Feb 2020 13:20:49 +0100
In-Reply-To: <6385652.IY5x3zMeex@xev> (Russell Coker's message of "Thu, 27 Feb
        2020 21:39:29 +1100")
Message-ID: <87zhd4b4ri.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

> allow systemd_logind_t init_var_run_t:chr_file write;
>
> audit2allow shows me that the above is attempted on Debian/Unstable.  What's 
> this inaccessible directory about anyway?

systemd-userruntimedir (245) now also creates it in /run/user/%{USERID}

probably used for InaccessiblePath= directive but I am not sure.

>
> # ls -lZ /run/systemd/inaccessible
> total 0
> b---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Feb 27 13:36 
> blk
> c---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Feb 27 13:36 
> chr
> d---------. 2 root root system_u:object_r:init_var_run_t:s0   40 Feb 27 13:36 
> dir
> p---------. 1 root root system_u:object_r:init_var_run_t:s0    0 Feb 27 13:36 
> fifo
> ----------. 1 root root system_u:object_r:init_var_run_t:s0    0 Feb 27 13:36 
> reg
> s---------. 1 root root system_u:object_r:init_var_run_t:s0    0 Feb 27 13:36 
> sock

-- 
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift