Return-Path: <SRS0=87Yg=RH=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=ham
	autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 6EF93C43381
	for <selinux-refpolicy@archiver.kernel.org>; Mon,  4 Mar 2019 13:59:56 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 3E654206B8
	for <selinux-refpolicy@archiver.kernel.org>; Mon,  4 Mar 2019 13:59:56 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Rp1k/G/z"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726526AbfCDN7z (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Mon, 4 Mar 2019 08:59:55 -0500
Received: from mail-ed1-f65.google.com ([209.85.208.65]:46396 "EHLO
        mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726082AbfCDN7z (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 4 Mar 2019 08:59:55 -0500
Received: by mail-ed1-f65.google.com with SMTP id f2so4305646edy.13
        for <selinux-refpolicy@vger.kernel.org>; Mon, 04 Mar 2019 05:59:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=57q+0vAVXHYb8uC6hNfu41YKzX2O/u44+xNv+byKBHw=;
        b=Rp1k/G/zq4ILO3e0vOvQCG86lIy16u7tfJZy5Vu05deHBS/lWDVKFId2bjATB2O0eX
         V6+7ZdNbaNZGyuHnSklCA7u3BslsxkJRAF6Q+mEnHaD9N7QiE0u1300Defz9Nnkhq1mA
         24Jo0lJNA5XkBSQUBvvgw8VMk2KR8u1q6p0vPa5B0gJN81OXphso99qaL2GiGj8tCq/t
         D9Z5TtsbcLvqps5mY5/qVqlj56+R9+pYED8fmhda0GedZXeAZsiLAlzbBzKKBSZcxi7X
         d7GClfy7azDC174D+kEbIAmvHpdcsWI8rvv8u0ot9tAFU4S/ytrX3R++oUS67kXOlxY9
         LKOA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=57q+0vAVXHYb8uC6hNfu41YKzX2O/u44+xNv+byKBHw=;
        b=BtYVvWco7CIESKUuBzpq5PlMVmoOXPvpKkqcFYDOoV9zXDYVbOfI4iG9WsgYR6zwlv
         Qi012ykCnSx3zKWX297E/mOfleUD2hxSlStCTXd/mF0+Lj9GY8VDnMbwDwUzrvWrJ9+B
         lvFvv3y/H0RtpYEw6v7BK0M43kJwD1Isz+v9ErfmNuak+BL8o+hSUcxcEq18Lw3DBQ2p
         rpaB9jopu9faPSg3pWegUEnWvQUhUg4NVGpwR3x2y2FIuenHWq6Fn2+XGX11Z23R27u5
         h3xzaHfLqjVlE+lryAw8e+ELiRItJF4gdYvTz3E8lM8kN8/oyahxHgF2XBDKxjf0Yo4+
         O5tA==
X-Gm-Message-State: APjAAAXWEH7CuO2y0vybKFViZZG/gOE3ZTSsqwVrzq6ZLH8pIL3CFOjM
        mHR7eUT/ZBtMlnXFbBtIlAY=
X-Google-Smtp-Source: APXvYqwM3W99V1HKVliZWJee/aH/rnVWh/uWWFzJusV7TNYr8T68kj3XSYYcEkyFvwx30Kk7vgeuew==
X-Received: by 2002:a17:906:1602:: with SMTP id m2mr12750447ejd.228.1551707993161;
        Mon, 04 Mar 2019 05:59:53 -0800 (PST)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id k15sm2139838eda.22.2019.03.04.05.59.52
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Mon, 04 Mar 2019 05:59:52 -0800 (PST)
Date:   Mon, 4 Mar 2019 14:59:50 +0100
From:   Dominick Grift <dac.override@gmail.com>
To:     Russell Coker <russell@coker.com.au>
Cc:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: strange daemon startup issue
Message-ID: <20190304135950.GA22313@brutus.lan>
Mail-Followup-To: Russell Coker <russell@coker.com.au>,
        "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
References: <3166760.egoGarHQ6g@xev>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft"
Content-Disposition: inline
In-Reply-To: <3166760.egoGarHQ6g@xev>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Mar 05, 2019 at 12:29:45AM +1100, Russell Coker wrote:
> When I boot kernel 4.9.144 (Debian/Stable kernel) with the Debian policy =
for=20
> Unstable (which isn't very different to the latest Git refpolicy) /usr/sb=
in/
> ModemManager and /usr/sbin/mysqld run as init_t.
>=20
> When I boot the same policy with kernel 4.19.16 (Debian/Testing kernel) t=
hose=20
> daemons run in modemmanager_t and mysqld_t as desired.
>=20
> What is the difference between those kernels which would explain this?  W=
ould=20
> it be some interaction with systemd?  I don't expect anyone to just hand =
me=20
> the answer (although that would be really nice), any clues as to where I=
=20
> should start investigating this would be great.
>=20
> The general aim with Debian SE Linux is that you can run the policy with =
the=20
> kernel from the previous version of Debian.  So this is something I reall=
y=20
> want to fix.

If its the nnp transition polcap then you have some options:

1. easiest is to remove the references to "NoNewPrivileges=3D" in systemd s=
ervice units. Hopefully in these old versions of systemd this directive is =
not implied by other widely used directives.
I recall that back then I got away with this solution, at least untill the =
polcap was introduced.

2. hard and ugly: before the polcap was introduced, NNP was covered with ty=
pe bounds. (see selinux_err messages on older kernels)
This can get ugly really fast though as the NNP flag is inherited. Probably=
 best to avoid this option, but in theory it is possible to address this is=
sue with type bounds.

>=20
> --=20
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
>=20

--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--/04w6evG8XlLl3ft
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAlx9L1IACgkQJXSOVTf5
R2kENgv/V+avduhH1yFphIdXDMrmCHBnxmrsGnrfJWMNH5j7R5xIz96emKV8cBgt
I+ML9lsX0jzhKGsIR1PVV5oNmR2KLNclW38U805iPyrkdGluoAqjJNd4yI0sLYZJ
o0m1+yZ3CJG/uRfN/shs4AxOCy+VEi0vksM6/N+uW4D1oJYCo1E9CE6lWsAFOZJy
1ORXJ/qtiuw7SgCAVRQgG19r53EGKAg/2XsPIBZWSdZwl3IXbuYLbNSeXBxn6toD
aVy7jLtG4vADS1wgTxUTzzVjCtCqmw7/Rv9+vVARhu/LCKQicWsiO49iXaVT0lwa
Q2oU304vfq/olZbYAEU75Fz1SV5Tisg/dhf1ldpRdnOqXSj2CyqJ8msuXgAsHYmf
RNcIMKVq2sFAz5kYPXAg1G5e1D4i3if9ZeUQpOOWOzXOFYrd0bXfhe4LYXzAwGBi
q/+gnoW3XpClgUm0gsZ8Sm9UDnEmnenQLrPOT2JbJcm1QIckN4NqiC4UIHp70OIe
X3k2TzVm
=MvEt
-----END PGP SIGNATURE-----

--/04w6evG8XlLl3ft--