* [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t
@ 2017-12-15 21:48 Nicolas Iooss
2017-12-16 10:00 ` Dominick Grift
2017-12-17 20:29 ` Chris PeBenito
0 siblings, 2 replies; 8+ messages in thread
From: Nicolas Iooss @ 2017-12-15 21:48 UTC (permalink / raw)
To: refpolicy
systemd defines in /usr/lib/systemd several directories which can
contain scripts or executable files:
- system-environment-generators/ and user-environment-generators/
documented in
https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html
- system-shutdown/ documented in
https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html
- system-sleep/ documented in
https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html
Currently the content of these directories is labelled lib_t, which
causes the following AVC on Arch Linux:
avc: denied { execute_no_trans } for pid=10308 comm="systemd"
path="/usr/lib/systemd/system-environment-generators/10-arch"
dev="vda1" ino=543182 scontext=system_u:system_r:init_t
tcontext=system_u:object_r:lib_t tclass=file permissive=1
For information /usr/lib/systemd/system-environment-generators/10-arch
only defines $PATH and its content is available on
https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem
---
policy/modules/kernel/corecommands.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index c2b93ecf5039..f2e4f5118d5f 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -221,7 +221,11 @@ ifdef(`distro_gentoo',`
/usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0)
/usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
--
2.15.0
^ permalink raw reply related [flat|nested] 8+ messages in thread* [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t 2017-12-15 21:48 [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t Nicolas Iooss @ 2017-12-16 10:00 ` Dominick Grift 2017-12-17 20:33 ` Chris PeBenito 2017-12-17 20:29 ` Chris PeBenito 1 sibling, 1 reply; 8+ messages in thread From: Dominick Grift @ 2017-12-16 10:00 UTC (permalink / raw) To: refpolicy On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: > systemd defines in /usr/lib/systemd several directories which can > contain scripts or executable files: > - system-environment-generators/ and user-environment-generators/ > documented in > https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html > - system-shutdown/ documented in > https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html > - system-sleep/ documented in > https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html > > Currently the content of these directories is labelled lib_t, which > causes the following AVC on Arch Linux: > > avc: denied { execute_no_trans } for pid=10308 comm="systemd" > path="/usr/lib/systemd/system-environment-generators/10-arch" > dev="vda1" ino=543182 scontext=system_u:system_r:init_t > tcontext=system_u:object_r:lib_t tclass=file permissive=1 Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; Its a matter of taste, subjective. > > For information /usr/lib/systemd/system-environment-generators/10-arch > only defines $PATH and its content is available on > https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem > --- > policy/modules/kernel/corecommands.fc | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > index c2b93ecf5039..f2e4f5118d5f 100644 > --- a/policy/modules/kernel/corecommands.fc > +++ b/policy/modules/kernel/corecommands.fc > @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',` > /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) > -- > 2.15.0 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171216/3a23b676/attachment.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t 2017-12-16 10:00 ` Dominick Grift @ 2017-12-17 20:33 ` Chris PeBenito 2017-12-20 16:33 ` Dominick Grift 0 siblings, 1 reply; 8+ messages in thread From: Chris PeBenito @ 2017-12-17 20:33 UTC (permalink / raw) To: refpolicy On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote: > On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: >> systemd defines in /usr/lib/systemd several directories which can >> contain scripts or executable files: >> - system-environment-generators/ and user-environment-generators/ >> documented in >> https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html >> - system-shutdown/ documented in >> https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html >> - system-sleep/ documented in >> https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html >> >> Currently the content of these directories is labelled lib_t, which >> causes the following AVC on Arch Linux: >> >> avc: denied { execute_no_trans } for pid=10308 comm="systemd" >> path="/usr/lib/systemd/system-environment-generators/10-arch" >> dev="vda1" ino=543182 scontext=system_u:system_r:init_t >> tcontext=system_u:object_r:lib_t tclass=file permissive=1 > > Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. > > In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. > > Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; > > Its a matter of taste, subjective. I don't think it's as subjective as you think. It keeps init_t from getting extra permissions over time which PID 1 doesn't need. initrc_t gets big, yes, but those are short-running processes, while init_t is long-running. >> For information /usr/lib/systemd/system-environment-generators/10-arch >> only defines $PATH and its content is available on >> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem >> --- >> policy/modules/kernel/corecommands.fc | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc >> index c2b93ecf5039..f2e4f5118d5f 100644 >> --- a/policy/modules/kernel/corecommands.fc >> +++ b/policy/modules/kernel/corecommands.fc >> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',` >> /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) >> /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) >> /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) >> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) >> /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) >> +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) >> +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) >> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) >> /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) >> /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) >> /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) -- Chris PeBenito ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t 2017-12-17 20:33 ` Chris PeBenito @ 2017-12-20 16:33 ` Dominick Grift 2017-12-20 16:41 ` Dominick Grift 2017-12-20 16:44 ` Chris PeBenito 0 siblings, 2 replies; 8+ messages in thread From: Dominick Grift @ 2017-12-20 16:33 UTC (permalink / raw) To: refpolicy On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote: > On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote: > > On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: > >> systemd defines in /usr/lib/systemd several directories which can > >> contain scripts or executable files: > >> - system-environment-generators/ and user-environment-generators/ > >> documented in > >> https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html > >> - system-shutdown/ documented in > >> https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html > >> - system-sleep/ documented in > >> https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html > >> > >> Currently the content of these directories is labelled lib_t, which > >> causes the following AVC on Arch Linux: > >> > >> avc: denied { execute_no_trans } for pid=10308 comm="systemd" > >> path="/usr/lib/systemd/system-environment-generators/10-arch" > >> dev="vda1" ino=543182 scontext=system_u:system_r:init_t > >> tcontext=system_u:object_r:lib_t tclass=file permissive=1 > > > > Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. > > > > In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. > > > > Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; > > > > Its a matter of taste, subjective. > > I don't think it's as subjective as you think. It keeps init_t from > getting extra permissions over time which PID 1 doesn't need. initrc_t > gets big, yes, but those are short-running processes, while init_t is > long-running. Yes except in practice it does not: take: cat /usr/lib/systemd/system-shutdown/mdadm.shutdown #!/bin/sh # We need to ensure all md arrays with external metadata # (e.g. IMSM, DDF) are clean before completing the shutdown. /usr/sbin/mdadm --wait-clean --scan If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t > > > >> For information /usr/lib/systemd/system-environment-generators/10-arch > >> only defines $PATH and its content is available on > >> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem > >> --- > >> policy/modules/kernel/corecommands.fc | 4 ++++ > >> 1 file changed, 4 insertions(+) > >> > >> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > >> index c2b93ecf5039..f2e4f5118d5f 100644 > >> --- a/policy/modules/kernel/corecommands.fc > >> +++ b/policy/modules/kernel/corecommands.fc > >> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',` > >> /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > >> /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) > >> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) > > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/6e0d044f/attachment.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t 2017-12-20 16:33 ` Dominick Grift @ 2017-12-20 16:41 ` Dominick Grift 2017-12-20 16:44 ` Chris PeBenito 1 sibling, 0 replies; 8+ messages in thread From: Dominick Grift @ 2017-12-20 16:41 UTC (permalink / raw) To: refpolicy On Wed, Dec 20, 2017 at 05:33:23PM +0100, Dominick Grift wrote: > On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote: > > On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote: > > > On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: > > >> systemd defines in /usr/lib/systemd several directories which can > > >> contain scripts or executable files: > > >> - system-environment-generators/ and user-environment-generators/ > > >> documented in > > >> https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html > > >> - system-shutdown/ documented in > > >> https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html > > >> - system-sleep/ documented in > > >> https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html > > >> > > >> Currently the content of these directories is labelled lib_t, which > > >> causes the following AVC on Arch Linux: > > >> > > >> avc: denied { execute_no_trans } for pid=10308 comm="systemd" > > >> path="/usr/lib/systemd/system-environment-generators/10-arch" > > >> dev="vda1" ino=543182 scontext=system_u:system_r:init_t > > >> tcontext=system_u:object_r:lib_t tclass=file permissive=1 > > > > > > Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. > > > > > > In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. > > > > > > Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; > > > > > > Its a matter of taste, subjective. > > > > I don't think it's as subjective as you think. It keeps init_t from > > getting extra permissions over time which PID 1 doesn't need. initrc_t > > gets big, yes, but those are short-running processes, while init_t is > > long-running. > > Yes except in practice it does not: > > take: > > cat /usr/lib/systemd/system-shutdown/mdadm.shutdown > #!/bin/sh > # We need to ensure all md arrays with external metadata > # (e.g. IMSM, DDF) are clean before completing the shutdown. > /usr/sbin/mdadm --wait-clean --scan > > If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t Actually 's/systemd/systemd-shutdown/' but in refpolicies case it does not matter since systemd-shutdown_t runs in init_t > > > > > > > >> For information /usr/lib/systemd/system-environment-generators/10-arch > > >> only defines $PATH and its content is available on > > >> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem > > >> --- > > >> policy/modules/kernel/corecommands.fc | 4 ++++ > > >> 1 file changed, 4 insertions(+) > > >> > > >> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > > >> index c2b93ecf5039..f2e4f5118d5f 100644 > > >> --- a/policy/modules/kernel/corecommands.fc > > >> +++ b/policy/modules/kernel/corecommands.fc > > >> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',` > > >> /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) > > >> /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > > >> /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) > > >> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > > >> /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > > >> +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > > >> +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) > > >> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > > >> /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > > >> /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) > > >> /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) > > > > > > -- > > Chris PeBenito > > _______________________________________________ > > refpolicy mailing list > > refpolicy at oss.tresys.com > > http://oss.tresys.com/mailman/listinfo/refpolicy > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/ef2ddf77/attachment-0001.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t 2017-12-20 16:33 ` Dominick Grift 2017-12-20 16:41 ` Dominick Grift @ 2017-12-20 16:44 ` Chris PeBenito 2017-12-20 16:56 ` Dominick Grift 1 sibling, 1 reply; 8+ messages in thread From: Chris PeBenito @ 2017-12-20 16:44 UTC (permalink / raw) To: refpolicy On 12/20/2017 11:33 AM, Dominick Grift via refpolicy wrote: > On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote: >> On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote: >>> On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: >>>> systemd defines in /usr/lib/systemd several directories which can >>>> contain scripts or executable files: >>>> - system-environment-generators/ and user-environment-generators/ >>>> documented in >>>> https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html >>>> - system-shutdown/ documented in >>>> https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html >>>> - system-sleep/ documented in >>>> https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html >>>> >>>> Currently the content of these directories is labelled lib_t, which >>>> causes the following AVC on Arch Linux: >>>> >>>> avc: denied { execute_no_trans } for pid=10308 comm="systemd" >>>> path="/usr/lib/systemd/system-environment-generators/10-arch" >>>> dev="vda1" ino=543182 scontext=system_u:system_r:init_t >>>> tcontext=system_u:object_r:lib_t tclass=file permissive=1 >>> >>> Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. >>> >>> In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. >>> >>> Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; >>> >>> Its a matter of taste, subjective. >> >> I don't think it's as subjective as you think. It keeps init_t from >> getting extra permissions over time which PID 1 doesn't need. initrc_t >> gets big, yes, but those are short-running processes, while init_t is >> long-running. > > Yes except in practice it does not: > > take: > > cat /usr/lib/systemd/system-shutdown/mdadm.shutdown > #!/bin/sh > # We need to ensure all md arrays with external metadata > # (e.g. IMSM, DDF) are clean before completing the shutdown. > /usr/sbin/mdadm --wait-clean --scan > > If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t No. The script transitions to initrc_t, and when the script execs mdadm, that process transitions to mdadm_t. -- Chris PeBenito ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t 2017-12-20 16:44 ` Chris PeBenito @ 2017-12-20 16:56 ` Dominick Grift 0 siblings, 0 replies; 8+ messages in thread From: Dominick Grift @ 2017-12-20 16:56 UTC (permalink / raw) To: refpolicy On Wed, Dec 20, 2017 at 11:44:59AM -0500, Chris PeBenito via refpolicy wrote: > On 12/20/2017 11:33 AM, Dominick Grift via refpolicy wrote: > > On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote: > >> On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote: > >>> On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: > >>>> systemd defines in /usr/lib/systemd several directories which can > >>>> contain scripts or executable files: > >>>> - system-environment-generators/ and user-environment-generators/ > >>>> documented in > >>>> https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html > >>>> - system-shutdown/ documented in > >>>> https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html > >>>> - system-sleep/ documented in > >>>> https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html > >>>> > >>>> Currently the content of these directories is labelled lib_t, which > >>>> causes the following AVC on Arch Linux: > >>>> > >>>> avc: denied { execute_no_trans } for pid=10308 comm="systemd" > >>>> path="/usr/lib/systemd/system-environment-generators/10-arch" > >>>> dev="vda1" ino=543182 scontext=system_u:system_r:init_t > >>>> tcontext=system_u:object_r:lib_t tclass=file permissive=1 > >>> > >>> Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. > >>> > >>> In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. > >>> > >>> Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; > >>> > >>> Its a matter of taste, subjective. > >> > >> I don't think it's as subjective as you think. It keeps init_t from > >> getting extra permissions over time which PID 1 doesn't need. initrc_t > >> gets big, yes, but those are short-running processes, while init_t is > >> long-running. > > > > Yes except in practice it does not: > > > > take: > > > > cat /usr/lib/systemd/system-shutdown/mdadm.shutdown > > #!/bin/sh > > # We need to ensure all md arrays with external metadata > > # (e.g. IMSM, DDF) are clean before completing the shutdown. > > /usr/sbin/mdadm --wait-clean --scan > > > > If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t > > No. The script transitions to initrc_t, and when the script execs > mdadm, that process transitions to mdadm_t. Yes my bad, i overlooked that part. > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/70c9acf9/attachment.bin ^ permalink raw reply [flat|nested] 8+ messages in thread
* [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t 2017-12-15 21:48 [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t Nicolas Iooss 2017-12-16 10:00 ` Dominick Grift @ 2017-12-17 20:29 ` Chris PeBenito 1 sibling, 0 replies; 8+ messages in thread From: Chris PeBenito @ 2017-12-17 20:29 UTC (permalink / raw) To: refpolicy On 12/15/2017 04:48 PM, Nicolas Iooss via refpolicy wrote: > systemd defines in /usr/lib/systemd several directories which can > contain scripts or executable files: > - system-environment-generators/ and user-environment-generators/ > documented in > https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html > - system-shutdown/ documented in > https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html > - system-sleep/ documented in > https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html > > Currently the content of these directories is labelled lib_t, which > causes the following AVC on Arch Linux: > > avc: denied { execute_no_trans } for pid=10308 comm="systemd" > path="/usr/lib/systemd/system-environment-generators/10-arch" > dev="vda1" ino=543182 scontext=system_u:system_r:init_t > tcontext=system_u:object_r:lib_t tclass=file permissive=1 > > For information /usr/lib/systemd/system-environment-generators/10-arch > only defines $PATH and its content is available on > https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem > --- > policy/modules/kernel/corecommands.fc | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > index c2b93ecf5039..f2e4f5118d5f 100644 > --- a/policy/modules/kernel/corecommands.fc > +++ b/policy/modules/kernel/corecommands.fc > @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',` > /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-12-20 16:56 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-12-15 21:48 [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t Nicolas Iooss 2017-12-16 10:00 ` Dominick Grift 2017-12-17 20:33 ` Chris PeBenito 2017-12-20 16:33 ` Dominick Grift 2017-12-20 16:41 ` Dominick Grift 2017-12-20 16:44 ` Chris PeBenito 2017-12-20 16:56 ` Dominick Grift 2017-12-17 20:29 ` Chris PeBenito
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).