From: Russell Coker <russell@coker.com.au>
To: Chris PeBenito <pebenito@ieee.org>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] another systemd misc patch
Date: Sat, 9 Oct 2021 21:17:34 +1100 [thread overview]
Message-ID: <YWFsPtICHUpvqMCA@xev.coker.com.au> (raw)
On Saturday, 6 February 2021 06:44:21 AEDT Chris PeBenito wrote:
> > +interface(`systemd_watch_logind_runtime_dir',`
>
> systemd_watch_logind_runtime_dirs (plural)
Done.
> > +interface(`systemd_watch_logind_sessions_dir',`
>
> systemd_watch_logind_sessions_dirs (plural)
Done.
> > +interface(`systemd_watch_machines_dir',`
>
> systemd_watch_machines_dirs (plural)
Done.
> > - domtrans_pattern($1, systemd_passwd_agent_exec_t,
> > systemd_passwd_agent_t)
> > + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t,
> > systemd_passwd_agent_t)
> domtrans_pattern() is the standard pattern. This change has no effect.
OK, I'll remove that.
> > -allow systemd_coredump_t self:capability { dac_override dac_read_search
> > setgid setuid setpcap sys_ptrace }; +allow systemd_coredump_t
> > self:unix_stream_socket connectto;
> > +allow systemd_coredump_t self:capability { dac_override dac_read_search
> > setgid setuid setpcap net_admin sys_ptrace };
> net_admin? That doesn't seem necessary for core dumping.
That's one of the systemd programs that wanted netadmin to set socket buffers.
I'll dontaudit it.
> > @@ -393,6 +403,32 @@ logging_send_syslog_msg(systemd_coredump
> >
> > seutil_search_default_contexts(systemd_coredump_t)
> >
> > +allow systemd_generator_t self:fifo_file rw_file_perms;
> > +allow systemd_generator_t self:process setfscreate;
> The systemd_generator_t rules need to move to proper places.
Done.
> > @@ -583,6 +642,8 @@ allow systemd_logind_t systemd_sessions_
> >
> > kernel_read_kernel_sysctls(systemd_logind_t)
> >
> > +auth_read_shadow(systemd_logind_t)
>
> If this is necessary, it seems Debian specific.
I'll try removing it.
> > @@ -972,6 +1067,7 @@ term_mount_devpts(systemd_nspawn_t)
> >
> > term_search_ptys(systemd_nspawn_t)
> > term_setattr_generic_ptys(systemd_nspawn_t)
> > term_use_ptmx(systemd_nspawn_t)
> >
> > +term_use_generic_ptys(systemd_nspawn_t)
>
> Perhaps this should have a pty type?
OK.
> > @@ -1519,11 +1627,15 @@ seutil_libselinux_linked(systemd_user_se
> >
> > # systemd-user-runtime-dir local policy
> > #
> >
> > -allow systemd_user_runtime_dir_t self:capability { fowner chown sys_admin
> > dac_read_search dac_override }; +allow systemd_user_runtime_dir_t
> > self:capability { chown dac_override dac_read_search dac_override fowner
> > sys_admin mknod };
> sys_admin and mknod? What is sys_admin used for; also, I don't see any
> rules for creating devices.
That's because of something that I hadn't included in that patch. It has to
unlink device nodes labelled user_tmp_t.
I just sent another patch for this.
next reply other threads:[~2021-10-09 10:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-09 10:17 Russell Coker [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-10-09 10:05 [PATCH] another systemd misc patch Russell Coker
2021-10-27 13:09 ` Chris PeBenito
2021-02-03 3:31 Russell Coker
2021-02-05 19:44 ` Chris PeBenito
2021-02-05 20:18 ` Dominick Grift
2021-02-05 20:31 ` Chris PeBenito
2021-02-05 20:45 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YWFsPtICHUpvqMCA@xev.coker.com.au \
--to=russell@coker.com.au \
--cc=pebenito@ieee.org \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).