SELinux Archive on lore.kernel.org
 help / color / Atom feed
* Odd systemd source context for non pid 1 process
@ 2019-11-05 19:02 Christian Göttsche
  2019-11-05 19:19 ` Stephen Smalley
  0 siblings, 1 reply; 5+ messages in thread
From: Christian Göttsche @ 2019-11-05 19:02 UTC (permalink / raw)
  To: selinux

While trying out a custom SELinux policy for systemd, some denials
during system boot seem odd to me.
systemd pid 1 runs as systemd_t and has no execute_no_trans permissions.
The system runs in enforced mode, but systemd_t is currently a
permissive domain.
For debug purpose `auditallow systemd_t domain:process2 {
nnp_transition nosuid_transition };` is active.


<<<<<<<< log snippets

/var/log/messages

Nov  5 19:45:44 debian-test kernel: [    8.224135] audit: type=1400
audit(1572979544.695:7): avc:  denied  { create } for  pid=446
comm="(imesyncd)" name="timesync"
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.225640] audit: type=1400
audit(1572979544.695:8): avc:  denied  { setattr } for  pid=446
comm="(imesyncd)" name="timesync" dev="tmpfs" ino=13506
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.227405] audit: type=1400
audit(1572979544.695:9): avc:  denied  { read } for  pid=446
comm="(imesyncd)" name="timesync" dev="tmpfs" ino=13506
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.229030] audit: type=1400
audit(1572979544.695:10): avc:  denied  { open } for  pid=446
comm="(imesyncd)" path="/run/systemd/timesync" dev="tmpfs" ino=13506
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.229032] audit: type=1400
audit(1572979544.695:11): avc:  denied  { getattr } for  pid=446
comm="(imesyncd)" path="/run/systemd/timesync" dev="tmpfs" ino=13506
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1
Nov  5 19:45:44 debian-test kernel: [    8.235688] audit: type=1400
audit(1572979544.707:12): avc:  denied  { mounton } for  pid=446
comm="(imesyncd)" path="/run/systemd/unit-root/run/systemd/timesync"
dev="tmpfs" ino=13506 scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
permissive=1


ausearch -m avc,user_avc,selinux_err -i

----
type=AVC msg=audit(11/05/19 19:45:44.887:22) : avc:  granted  {
nnp_transition } for  pid=446 comm=(imesyncd)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_timesyncd_t:s0 tclass=process2
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.907:25) : proctitle=(crub_all)
type=SYSCALL msg=audit(11/05/19 19:45:44.907:25) : arch=x86_64
syscall=sched_setscheduler success=yes exit=0 a0=0x0 a1=SCHED_IDLE
a2=0x7ffd35f38f50 a3=0x7ffd35f38f38 items=0 ppid=1 pid=475 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=(crub_all)
exe=/usr/lib/systemd/systemd subj=system_u:system_r:systemd_t:s0
key=(null)
type=AVC msg=audit(11/05/19 19:45:44.907:25) : avc:  denied  {
setsched } for  pid=475 comm=(crub_all)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_t:s0 tclass=process permissive=1
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.907:26) : proctitle=(crub_all)
type=SYSCALL msg=audit(11/05/19 19:45:44.907:26) : arch=x86_64
syscall=fcntl success=yes exit=0 a0=0x34 a1=F_SETLKW a2=0x7ffd35f38df0
a3=0x0 items=0 ppid=1 pid=475 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=(crub_all) exe=/usr/lib/systemd/systemd
subj=system_u:system_r:systemd_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:44.907:26) : avc:  denied  { lock }
for  pid=475 comm=(crub_all) path=socket:[13561] dev="sockfs"
ino=13561 scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_t:s0 tclass=unix_dgram_socket
permissive=1
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.911:27) : proctitle=(crub_all)
type=PATH msg=audit(11/05/19 19:45:44.911:27) : item=0
name=/proc/self/ns/net inode=4026532232 dev=00:04 mode=file,444
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:44.911:27) : cwd=/
type=SYSCALL msg=audit(11/05/19 19:45:44.911:27) : arch=x86_64
syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x55e784768331
a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=475
auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
sgid=root fsgid=root tty=(none) ses=unset comm=(crub_all)
exe=/usr/lib/systemd/systemd subj=system_u:system_r:systemd_t:s0
key=(null)
type=AVC msg=audit(11/05/19 19:45:44.911:27) : avc:  denied  { open }
for  pid=475 comm=(crub_all) path=net:[4026532232] dev="nsfs"
ino=4026532232 scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
type=AVC msg=audit(11/05/19 19:45:44.911:27) : avc:  denied  { read }
for  pid=475 comm=(crub_all) dev="nsfs" ino=4026532232
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.915:29) : proctitle=(crub_all)
type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=2
name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=1 name=/bin/bash
inode=263600 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00
obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none
cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=0
name=/sbin/e2scrub_all inode=263379 dev=08:01 mode=file,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:fsadm_exec_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:44.915:29) : cwd=/
type=EXECVE msg=audit(11/05/19 19:45:44.915:29) : argc=4 a0=/bin/bash
a1=/sbin/e2scrub_all a2=-A a3=-r
type=SYSCALL msg=audit(11/05/19 19:45:44.915:29) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x55e784f70b40 a1=0x55e78504dde0
a2=0x55e78502a200 a3=0x55e784f71240 items=3 ppid=1 pid=475 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=e2scrub_all exe=/usr/bin/bash
subj=system_u:system_r:fsadm_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:44.915:29) : avc:  granted  {
nnp_transition } for  pid=475 comm=(crub_all)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:fsadm_t:s0 tclass=process2
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.935:31) : proctitle=(d-logind)
type=PATH msg=audit(11/05/19 19:45:44.935:31) : item=1
name=/run/systemd/inhibit inode=14807 dev=00:15 mode=dir,755 ouid=root
ogid=root rdev=00:00
obj=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:44.935:31) : item=0
name=/run/systemd/ inode=11588 dev=00:15 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:systemd_runtime_t:s0
nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:44.935:31) : cwd=/
type=SYSCALL msg=audit(11/05/19 19:45:44.935:31) : arch=x86_64
syscall=mkdir success=yes exit=0 a0=0x55e784f6aeb0 a1=0755 a2=0x0
a3=0x7 items=2 ppid=1 pid=481 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=(d-logind) exe=/usr/lib/systemd/systemd
subj=system_u:system_r:systemd_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:44.935:31) : avc:  denied  { create
} for  pid=481 comm=(d-logind) name=inhibit
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
tclass=dir permissive=1
----
type=PROCTITLE msg=audit(11/05/19 19:45:44.959:35) :
proctitle=/usr/sbin/vnstatd -n
type=PATH msg=audit(11/05/19 19:45:44.959:35) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:44.959:35) : item=0
name=/usr/sbin/vnstatd inode=262216 dev=08:01 mode=file,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:vnstatd_exec_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:44.959:35) : cwd=/
type=EXECVE msg=audit(11/05/19 19:45:44.959:35) : argc=2
a0=/usr/sbin/vnstatd a1=-n
type=SYSCALL msg=audit(11/05/19 19:45:44.959:35) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x55e784fe5500 a1=0x55e78500df40
a2=0x55e78501ae70 a3=0x55e784fe5580 items=2 ppid=1 pid=476 auid=unset
uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat
sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd
exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:44.959:35) : avc:  granted  {
nnp_transition } for  pid=476 comm=(vnstatd)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:vnstatd_t:s0 tclass=process2
----
type=PROCTITLE msg=audit(11/05/19 19:45:45.099:37) : proctitle=(d-logind)
type=PATH msg=audit(11/05/19 19:45:45.099:37) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/05/19 19:45:45.099:37) : item=0
name=/lib/systemd/systemd-logind inode=268205 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:systemd_logind_exec_t:s0 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/05/19 19:45:45.099:37) : cwd=/
type=EXECVE msg=audit(11/05/19 19:45:45.099:37) : argc=1
a0=/lib/systemd/systemd-logind
type=BPRM_FCAPS msg=audit(11/05/19 19:45:45.099:37) : fver=0 fp=none
fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
old_pa=none pp=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
pi=none pe=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
pa=none frootid=0
type=SYSCALL msg=audit(11/05/19 19:45:45.099:37) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x55e784fb9a40 a1=0x55e785050a20
a2=0x55e78502e650 a3=0x55e784fb9840 items=2 ppid=1 pid=481 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=systemd-logind
exe=/usr/lib/systemd/systemd-logind
subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(11/05/19 19:45:45.099:37) : avc:  granted  {
nnp_transition } for  pid=481 comm=(d-logind)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process2

>>>>>>>> log snippets


Somehow the source context is systemd_t, while the pid is not 1 (and
the proctitle is not systemd).
Is maybe the context transition in the `nnp_transition` case delayed?

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Odd systemd source context for non pid 1 process
  2019-11-05 19:02 Odd systemd source context for non pid 1 process Christian Göttsche
@ 2019-11-05 19:19 ` Stephen Smalley
  2019-11-06 16:42   ` Christian Göttsche
  0 siblings, 1 reply; 5+ messages in thread
From: Stephen Smalley @ 2019-11-05 19:19 UTC (permalink / raw)
  To: Christian Göttsche, selinux

On 11/5/19 2:02 PM, Christian Göttsche wrote:
> While trying out a custom SELinux policy for systemd, some denials
> during system boot seem odd to me.
> systemd pid 1 runs as systemd_t and has no execute_no_trans permissions.
> The system runs in enforced mode, but systemd_t is currently a
> permissive domain.
> For debug purpose `auditallow systemd_t domain:process2 {
> nnp_transition nosuid_transition };` is active.
> 
> 
> <<<<<<<< log snippets
> 
> /var/log/messages
> 
> Nov  5 19:45:44 debian-test kernel: [    8.224135] audit: type=1400
> audit(1572979544.695:7): avc:  denied  { create } for  pid=446
> comm="(imesyncd)" name="timesync"
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov  5 19:45:44 debian-test kernel: [    8.225640] audit: type=1400
> audit(1572979544.695:8): avc:  denied  { setattr } for  pid=446
> comm="(imesyncd)" name="timesync" dev="tmpfs" ino=13506
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov  5 19:45:44 debian-test kernel: [    8.227405] audit: type=1400
> audit(1572979544.695:9): avc:  denied  { read } for  pid=446
> comm="(imesyncd)" name="timesync" dev="tmpfs" ino=13506
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov  5 19:45:44 debian-test kernel: [    8.229030] audit: type=1400
> audit(1572979544.695:10): avc:  denied  { open } for  pid=446
> comm="(imesyncd)" path="/run/systemd/timesync" dev="tmpfs" ino=13506
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov  5 19:45:44 debian-test kernel: [    8.229032] audit: type=1400
> audit(1572979544.695:11): avc:  denied  { getattr } for  pid=446
> comm="(imesyncd)" path="/run/systemd/timesync" dev="tmpfs" ino=13506
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> Nov  5 19:45:44 debian-test kernel: [    8.235688] audit: type=1400
> audit(1572979544.707:12): avc:  denied  { mounton } for  pid=446
> comm="(imesyncd)" path="/run/systemd/unit-root/run/systemd/timesync"
> dev="tmpfs" ino=13506 scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_timesyncd_runtime_t:s0 tclass=dir
> permissive=1
> 
> 
> ausearch -m avc,user_avc,selinux_err -i
> 
> ----
> type=AVC msg=audit(11/05/19 19:45:44.887:22) : avc:  granted  {
> nnp_transition } for  pid=446 comm=(imesyncd)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_timesyncd_t:s0 tclass=process2
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.907:25) : proctitle=(crub_all)
> type=SYSCALL msg=audit(11/05/19 19:45:44.907:25) : arch=x86_64
> syscall=sched_setscheduler success=yes exit=0 a0=0x0 a1=SCHED_IDLE
> a2=0x7ffd35f38f50 a3=0x7ffd35f38f38 items=0 ppid=1 pid=475 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=(crub_all)
> exe=/usr/lib/systemd/systemd subj=system_u:system_r:systemd_t:s0
> key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.907:25) : avc:  denied  {
> setsched } for  pid=475 comm=(crub_all)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_t:s0 tclass=process permissive=1
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.907:26) : proctitle=(crub_all)
> type=SYSCALL msg=audit(11/05/19 19:45:44.907:26) : arch=x86_64
> syscall=fcntl success=yes exit=0 a0=0x34 a1=F_SETLKW a2=0x7ffd35f38df0
> a3=0x0 items=0 ppid=1 pid=475 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=(crub_all) exe=/usr/lib/systemd/systemd
> subj=system_u:system_r:systemd_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.907:26) : avc:  denied  { lock }
> for  pid=475 comm=(crub_all) path=socket:[13561] dev="sockfs"
> ino=13561 scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_t:s0 tclass=unix_dgram_socket
> permissive=1
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.911:27) : proctitle=(crub_all)
> type=PATH msg=audit(11/05/19 19:45:44.911:27) : item=0
> name=/proc/self/ns/net inode=4026532232 dev=00:04 mode=file,444
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:nsfs_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:44.911:27) : cwd=/
> type=SYSCALL msg=audit(11/05/19 19:45:44.911:27) : arch=x86_64
> syscall=openat success=yes exit=3 a0=0xffffff9c a1=0x55e784768331
> a2=O_RDONLY|O_NOCTTY|O_CLOEXEC a3=0x0 items=1 ppid=1 pid=475
> auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root
> sgid=root fsgid=root tty=(none) ses=unset comm=(crub_all)
> exe=/usr/lib/systemd/systemd subj=system_u:system_r:systemd_t:s0
> key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.911:27) : avc:  denied  { open }
> for  pid=475 comm=(crub_all) path=net:[4026532232] dev="nsfs"
> ino=4026532232 scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
> type=AVC msg=audit(11/05/19 19:45:44.911:27) : avc:  denied  { read }
> for  pid=475 comm=(crub_all) dev="nsfs" ino=4026532232
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:nsfs_t:s0 tclass=file permissive=1
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.915:29) : proctitle=(crub_all)
> type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=2
> name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=1 name=/bin/bash
> inode=263600 dev=08:01 mode=file,755 ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=none
> cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:44.915:29) : item=0
> name=/sbin/e2scrub_all inode=263379 dev=08:01 mode=file,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:fsadm_exec_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:44.915:29) : cwd=/
> type=EXECVE msg=audit(11/05/19 19:45:44.915:29) : argc=4 a0=/bin/bash
> a1=/sbin/e2scrub_all a2=-A a3=-r
> type=SYSCALL msg=audit(11/05/19 19:45:44.915:29) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x55e784f70b40 a1=0x55e78504dde0
> a2=0x55e78502a200 a3=0x55e784f71240 items=3 ppid=1 pid=475 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=e2scrub_all exe=/usr/bin/bash
> subj=system_u:system_r:fsadm_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.915:29) : avc:  granted  {
> nnp_transition } for  pid=475 comm=(crub_all)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:fsadm_t:s0 tclass=process2
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.935:31) : proctitle=(d-logind)
> type=PATH msg=audit(11/05/19 19:45:44.935:31) : item=1
> name=/run/systemd/inhibit inode=14807 dev=00:15 mode=dir,755 ouid=root
> ogid=root rdev=00:00
> obj=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
> nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:44.935:31) : item=0
> name=/run/systemd/ inode=11588 dev=00:15 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:systemd_runtime_t:s0
> nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:44.935:31) : cwd=/
> type=SYSCALL msg=audit(11/05/19 19:45:44.935:31) : arch=x86_64
> syscall=mkdir success=yes exit=0 a0=0x55e784f6aeb0 a1=0755 a2=0x0
> a3=0x7 items=2 ppid=1 pid=481 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=(d-logind) exe=/usr/lib/systemd/systemd
> subj=system_u:system_r:systemd_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.935:31) : avc:  denied  { create
> } for  pid=481 comm=(d-logind) name=inhibit
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
> tclass=dir permissive=1
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:44.959:35) :
> proctitle=/usr/sbin/vnstatd -n
> type=PATH msg=audit(11/05/19 19:45:44.959:35) : item=1
> name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:44.959:35) : item=0
> name=/usr/sbin/vnstatd inode=262216 dev=08:01 mode=file,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:vnstatd_exec_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:44.959:35) : cwd=/
> type=EXECVE msg=audit(11/05/19 19:45:44.959:35) : argc=2
> a0=/usr/sbin/vnstatd a1=-n
> type=SYSCALL msg=audit(11/05/19 19:45:44.959:35) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x55e784fe5500 a1=0x55e78500df40
> a2=0x55e78501ae70 a3=0x55e784fe5580 items=2 ppid=1 pid=476 auid=unset
> uid=vnstat gid=vnstat euid=vnstat suid=vnstat fsuid=vnstat egid=vnstat
> sgid=vnstat fsgid=vnstat tty=(none) ses=unset comm=vnstatd
> exe=/usr/sbin/vnstatd subj=system_u:system_r:vnstatd_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:44.959:35) : avc:  granted  {
> nnp_transition } for  pid=476 comm=(vnstatd)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:vnstatd_t:s0 tclass=process2
> ----
> type=PROCTITLE msg=audit(11/05/19 19:45:45.099:37) : proctitle=(d-logind)
> type=PATH msg=audit(11/05/19 19:45:45.099:37) : item=1
> name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/05/19 19:45:45.099:37) : item=0
> name=/lib/systemd/systemd-logind inode=268205 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:systemd_logind_exec_t:s0 nametype=NORMAL
> cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(11/05/19 19:45:45.099:37) : cwd=/
> type=EXECVE msg=audit(11/05/19 19:45:45.099:37) : argc=1
> a0=/lib/systemd/systemd-logind
> type=BPRM_FCAPS msg=audit(11/05/19 19:45:45.099:37) : fver=0 fp=none
> fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
> old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
> old_pa=none pp=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
> pi=none pe=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
> pa=none frootid=0
> type=SYSCALL msg=audit(11/05/19 19:45:45.099:37) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x55e784fb9a40 a1=0x55e785050a20
> a2=0x55e78502e650 a3=0x55e784fb9840 items=2 ppid=1 pid=481 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=systemd-logind
> exe=/usr/lib/systemd/systemd-logind
> subj=system_u:system_r:systemd_logind_t:s0 key=(null)
> type=AVC msg=audit(11/05/19 19:45:45.099:37) : avc:  granted  {
> nnp_transition } for  pid=481 comm=(d-logind)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process2
> 
>>>>>>>>> log snippets
> 
> 
> Somehow the source context is systemd_t, while the pid is not 1 (and
> the proctitle is not systemd).
> Is maybe the context transition in the `nnp_transition` case delayed?

No.  Not sure what it is that you are seeing.  Maybe auditallow 
execute_no_trans or double check that your policy isn't allowing it 
(e.g. sesearch -A -s systemd_t -p execute_no_trans)





^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Odd systemd source context for non pid 1 process
  2019-11-05 19:19 ` Stephen Smalley
@ 2019-11-06 16:42   ` Christian Göttsche
  2019-11-06 16:48     ` Dominick Grift
  0 siblings, 1 reply; 5+ messages in thread
From: Christian Göttsche @ 2019-11-06 16:42 UTC (permalink / raw)
  To: Stephen Smalley; +Cc: selinux

> No.  Not sure what it is that you are seeing.  Maybe auditallow
> execute_no_trans or double check that your policy isn't allowing it
> (e.g. sesearch -A -s systemd_t -p execute_no_trans)

No execute_no_trans are logged (with an auditallow rule).
There is actually one execute_no_trans over itself (systemd_exec_t --
/usr/lib/systemd/systemd).
So systemd might re-exec or fork to get another pid.
But the pid in the denials is, in the case of systemd-logind, the
final pid of that daemon.

Also in the audit logs, the odd denial (e.g. 11/06/19 17:31:39.298:30)
is prior to the nnp_transition info (e.g. 11/06/19 17:31:39.466:35).


<<<<<<<< log snippets

$ ps -efZ | grep logind
system_u:system_r:systemd_logind_t:s0 root 478     1  0 17:31 ?
00:00:00 /lib/systemd/systemd-logind

type=PROCTITLE msg=audit(11/06/19 17:31:39.298:30) : proctitle=(d-logind)
type=PATH msg=audit(11/06/19 17:31:39.298:30) : item=1
name=/run/systemd/inhibit inode=14431 dev=00:15 mode=dir,755 ouid=root
ogid=root rdev=00:00
obj=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/06/19 17:31:39.298:30) : item=0
name=/run/systemd/ inode=10008 dev=00:15 mode=dir,755 ouid=root
ogid=root rdev=00:00 obj=system_u:object_r:systemd_runtime_t:s0
nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=CWD msg=audit(11/06/19 17:31:39.298:30) : cwd=/
type=SYSCALL msg=audit(11/06/19 17:31:39.298:30) : arch=x86_64
syscall=mkdir success=yes exit=0 a0=0x559af6611a00 a1=0755 a2=0x0
a3=0x7 items=2 ppid=1 pid=478 auid=unset uid=root gid=root euid=root
suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
ses=unset comm=(d-logind) exe=/usr/lib/systemd/systemd
subj=system_u:system_r:systemd_t:s0 key=(null)
type=AVC msg=audit(11/06/19 17:31:39.298:30) : avc:  denied  { create
} for  pid=478 comm=(d-logind) name=inhibit
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
tclass=dir permissive=1

.. later...

type=PROCTITLE msg=audit(11/06/19 17:31:39.466:35) : proctitle=(d-logind)
type=PATH msg=audit(11/06/19 17:31:39.466:35) : item=1
name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
cap_frootid=0
type=PATH msg=audit(11/06/19 17:31:39.466:35) : item=0
name=/lib/systemd/systemd-logind inode=268205 dev=08:01 mode=file,755
ouid=root ogid=root rdev=00:00
obj=system_u:object_r:systemd_logind_exec_t:s0 nametype=NORMAL
cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(11/06/19 17:31:39.466:35) : cwd=/
type=EXECVE msg=audit(11/06/19 17:31:39.466:35) : argc=1
a0=/lib/systemd/systemd-logind
type=BPRM_FCAPS msg=audit(11/06/19 17:31:39.466:35) : fver=0 fp=none
fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
old_pa=none pp=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
pi=none pe=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
pa=none frootid=0
type=SYSCALL msg=audit(11/06/19 17:31:39.466:35) : arch=x86_64
syscall=execve success=yes exit=0 a0=0x559af6603750 a1=0x559af66ad680
a2=0x559af6690250 a3=0x559af66035c0 items=2 ppid=1 pid=478 auid=unset
uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
fsgid=root tty=(none) ses=unset comm=systemd-logind
exe=/usr/lib/systemd/systemd-logind
subj=system_u:system_r:systemd_logind_t:s0 key=(null)
type=AVC msg=audit(11/06/19 17:31:39.466:35) : avc:  granted  {
nnp_transition } for  pid=478 comm=(d-logind)
scontext=system_u:system_r:systemd_t:s0
tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process2


>>>>>>>> log snippets

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Odd systemd source context for non pid 1 process
  2019-11-06 16:42   ` Christian Göttsche
@ 2019-11-06 16:48     ` Dominick Grift
  2019-11-07 16:26       ` Christian Göttsche
  0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2019-11-06 16:48 UTC (permalink / raw)
  To: Christian Göttsche; +Cc: Stephen Smalley, selinux

[-- Attachment #1: Type: text/plain, Size: 5320 bytes --]

On Wed, Nov 06, 2019 at 05:42:35PM +0100, Christian Göttsche wrote:
> > No.  Not sure what it is that you are seeing.  Maybe auditallow
> > execute_no_trans or double check that your policy isn't allowing it
> > (e.g. sesearch -A -s systemd_t -p execute_no_trans)
> 
> No execute_no_trans are logged (with an auditallow rule).
> There is actually one execute_no_trans over itself (systemd_exec_t --
> /usr/lib/systemd/systemd).
> So systemd might re-exec or fork to get another pid.
> But the pid in the denials is, in the case of systemd-logind, the
> final pid of that daemon.
> 
> Also in the audit logs, the odd denial (e.g. 11/06/19 17:31:39.298:30)
> is prior to the nnp_transition info (e.g. 11/06/19 17:31:39.466:35).
> 

There is a "RuntimeDirectory=systemd/sessions systemd/seats systemd/users systemd/inhibit systemd/shutdown" in systemd-logind.service
That means that systemd will create /run/systemd/inhibit on behalf of systemd-logind

> 
> <<<<<<<< log snippets
> 
> $ ps -efZ | grep logind
> system_u:system_r:systemd_logind_t:s0 root 478     1  0 17:31 ?
> 00:00:00 /lib/systemd/systemd-logind
> 
> type=PROCTITLE msg=audit(11/06/19 17:31:39.298:30) : proctitle=(d-logind)
> type=PATH msg=audit(11/06/19 17:31:39.298:30) : item=1
> name=/run/systemd/inhibit inode=14431 dev=00:15 mode=dir,755 ouid=root
> ogid=root rdev=00:00
> obj=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
> nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/06/19 17:31:39.298:30) : item=0
> name=/run/systemd/ inode=10008 dev=00:15 mode=dir,755 ouid=root
> ogid=root rdev=00:00 obj=system_u:object_r:systemd_runtime_t:s0
> nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=CWD msg=audit(11/06/19 17:31:39.298:30) : cwd=/
> type=SYSCALL msg=audit(11/06/19 17:31:39.298:30) : arch=x86_64
> syscall=mkdir success=yes exit=0 a0=0x559af6611a00 a1=0755 a2=0x0
> a3=0x7 items=2 ppid=1 pid=478 auid=unset uid=root gid=root euid=root
> suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
> ses=unset comm=(d-logind) exe=/usr/lib/systemd/systemd
> subj=system_u:system_r:systemd_t:s0 key=(null)
> type=AVC msg=audit(11/06/19 17:31:39.298:30) : avc:  denied  { create
> } for  pid=478 comm=(d-logind) name=inhibit
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:object_r:systemd_logind_inhibit_runtime_t:s0
> tclass=dir permissive=1
> 
> .. later...
> 
> type=PROCTITLE msg=audit(11/06/19 17:31:39.466:35) : proctitle=(d-logind)
> type=PATH msg=audit(11/06/19 17:31:39.466:35) : item=1
> name=/lib64/ld-linux-x86-64.so.2 inode=263996 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0
> nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> cap_frootid=0
> type=PATH msg=audit(11/06/19 17:31:39.466:35) : item=0
> name=/lib/systemd/systemd-logind inode=268205 dev=08:01 mode=file,755
> ouid=root ogid=root rdev=00:00
> obj=system_u:object_r:systemd_logind_exec_t:s0 nametype=NORMAL
> cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
> type=CWD msg=audit(11/06/19 17:31:39.466:35) : cwd=/
> type=EXECVE msg=audit(11/06/19 17:31:39.466:35) : argc=1
> a0=/lib/systemd/systemd-logind
> type=BPRM_FCAPS msg=audit(11/06/19 17:31:39.466:35) : fver=0 fp=none
> fi=none fe=0 old_pp=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
> old_pi=none old_pe=chown,dac_override,dac_read_search,fowner,fsetid,kill,setgid,setuid,setpcap,linux_immutable,net_bind_service,net_broadcast,net_admin,net_raw,ipc_lock,ipc_owner,sys_module,sys_rawio,sys_chroot,sys_ptrace,sys_pacct,sys_admin,sys_boot,sys_nice,sys_resource,sys_time,sys_tty_config,mknod,lease,audit_write,audit_control,setfcap,mac_override,mac_admin,syslog,wake_alarm,block_suspend,audit_read
> old_pa=none pp=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
> pi=none pe=chown,dac_override,dac_read_search,fowner,linux_immutable,sys_admin,sys_tty_config,audit_control,mac_admin
> pa=none frootid=0
> type=SYSCALL msg=audit(11/06/19 17:31:39.466:35) : arch=x86_64
> syscall=execve success=yes exit=0 a0=0x559af6603750 a1=0x559af66ad680
> a2=0x559af6690250 a3=0x559af66035c0 items=2 ppid=1 pid=478 auid=unset
> uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root
> fsgid=root tty=(none) ses=unset comm=systemd-logind
> exe=/usr/lib/systemd/systemd-logind
> subj=system_u:system_r:systemd_logind_t:s0 key=(null)
> type=AVC msg=audit(11/06/19 17:31:39.466:35) : avc:  granted  {
> nnp_transition } for  pid=478 comm=(d-logind)
> scontext=system_u:system_r:systemd_t:s0
> tcontext=system_u:system_r:systemd_logind_t:s0 tclass=process2
> 
> 
> >>>>>>>> log snippets

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: Odd systemd source context for non pid 1 process
  2019-11-06 16:48     ` Dominick Grift
@ 2019-11-07 16:26       ` Christian Göttsche
  0 siblings, 0 replies; 5+ messages in thread
From: Christian Göttsche @ 2019-11-07 16:26 UTC (permalink / raw)
  To: selinux

All-clear, nothing was wrong:

* systemd runs in pid 1
* to start a service systemd fork()'s
* child has same SELinux label but different pid
* systemd internally replaces the program name of the child, so the
proctitle is no longer 'systemd' but '(#name of service to start#)',
with these brackets
* after creating the environment, the child exec's into the service
daemon, thereby keeping the pid but changing the SELinux label and the
proctitle (brackets disappear)

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, back to index

Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-05 19:02 Odd systemd source context for non pid 1 process Christian Göttsche
2019-11-05 19:19 ` Stephen Smalley
2019-11-06 16:42   ` Christian Göttsche
2019-11-06 16:48     ` Dominick Grift
2019-11-07 16:26       ` Christian Göttsche

SELinux Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux/0 selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ https://lore.kernel.org/selinux \
		selinux@vger.kernel.org
	public-inbox-index selinux

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git