Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6EF93C43381 for ; Mon, 4 Mar 2019 13:59:56 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3E654206B8 for ; Mon, 4 Mar 2019 13:59:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Rp1k/G/z" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726526AbfCDN7z (ORCPT ); Mon, 4 Mar 2019 08:59:55 -0500 Received: from mail-ed1-f65.google.com ([209.85.208.65]:46396 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726082AbfCDN7z (ORCPT ); Mon, 4 Mar 2019 08:59:55 -0500 Received: by mail-ed1-f65.google.com with SMTP id f2so4305646edy.13 for ; Mon, 04 Mar 2019 05:59:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=57q+0vAVXHYb8uC6hNfu41YKzX2O/u44+xNv+byKBHw=; b=Rp1k/G/zq4ILO3e0vOvQCG86lIy16u7tfJZy5Vu05deHBS/lWDVKFId2bjATB2O0eX V6+7ZdNbaNZGyuHnSklCA7u3BslsxkJRAF6Q+mEnHaD9N7QiE0u1300Defz9Nnkhq1mA 24Jo0lJNA5XkBSQUBvvgw8VMk2KR8u1q6p0vPa5B0gJN81OXphso99qaL2GiGj8tCq/t D9Z5TtsbcLvqps5mY5/qVqlj56+R9+pYED8fmhda0GedZXeAZsiLAlzbBzKKBSZcxi7X d7GClfy7azDC174D+kEbIAmvHpdcsWI8rvv8u0ot9tAFU4S/ytrX3R++oUS67kXOlxY9 LKOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=57q+0vAVXHYb8uC6hNfu41YKzX2O/u44+xNv+byKBHw=; b=BtYVvWco7CIESKUuBzpq5PlMVmoOXPvpKkqcFYDOoV9zXDYVbOfI4iG9WsgYR6zwlv Qi012ykCnSx3zKWX297E/mOfleUD2hxSlStCTXd/mF0+Lj9GY8VDnMbwDwUzrvWrJ9+B lvFvv3y/H0RtpYEw6v7BK0M43kJwD1Isz+v9ErfmNuak+BL8o+hSUcxcEq18Lw3DBQ2p rpaB9jopu9faPSg3pWegUEnWvQUhUg4NVGpwR3x2y2FIuenHWq6Fn2+XGX11Z23R27u5 h3xzaHfLqjVlE+lryAw8e+ELiRItJF4gdYvTz3E8lM8kN8/oyahxHgF2XBDKxjf0Yo4+ O5tA== X-Gm-Message-State: APjAAAXWEH7CuO2y0vybKFViZZG/gOE3ZTSsqwVrzq6ZLH8pIL3CFOjM mHR7eUT/ZBtMlnXFbBtIlAY= X-Google-Smtp-Source: APXvYqwM3W99V1HKVliZWJee/aH/rnVWh/uWWFzJusV7TNYr8T68kj3XSYYcEkyFvwx30Kk7vgeuew== X-Received: by 2002:a17:906:1602:: with SMTP id m2mr12750447ejd.228.1551707993161; Mon, 04 Mar 2019 05:59:53 -0800 (PST) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id k15sm2139838eda.22.2019.03.04.05.59.52 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 04 Mar 2019 05:59:52 -0800 (PST) Date: Mon, 4 Mar 2019 14:59:50 +0100 From: Dominick Grift To: Russell Coker Cc: "selinux-refpolicy@vger.kernel.org" Subject: Re: strange daemon startup issue Message-ID: <20190304135950.GA22313@brutus.lan> Mail-Followup-To: Russell Coker , "selinux-refpolicy@vger.kernel.org" References: <3166760.egoGarHQ6g@xev> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="/04w6evG8XlLl3ft" Content-Disposition: inline In-Reply-To: <3166760.egoGarHQ6g@xev> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --/04w6evG8XlLl3ft Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Mar 05, 2019 at 12:29:45AM +1100, Russell Coker wrote: > When I boot kernel 4.9.144 (Debian/Stable kernel) with the Debian policy = for=20 > Unstable (which isn't very different to the latest Git refpolicy) /usr/sb= in/ > ModemManager and /usr/sbin/mysqld run as init_t. >=20 > When I boot the same policy with kernel 4.19.16 (Debian/Testing kernel) t= hose=20 > daemons run in modemmanager_t and mysqld_t as desired. >=20 > What is the difference between those kernels which would explain this? W= ould=20 > it be some interaction with systemd? I don't expect anyone to just hand = me=20 > the answer (although that would be really nice), any clues as to where I= =20 > should start investigating this would be great. >=20 > The general aim with Debian SE Linux is that you can run the policy with = the=20 > kernel from the previous version of Debian. So this is something I reall= y=20 > want to fix. If its the nnp transition polcap then you have some options: 1. easiest is to remove the references to "NoNewPrivileges=3D" in systemd s= ervice units. Hopefully in these old versions of systemd this directive is = not implied by other widely used directives. I recall that back then I got away with this solution, at least untill the = polcap was introduced. 2. hard and ugly: before the polcap was introduced, NNP was covered with ty= pe bounds. (see selinux_err messages on older kernels) This can get ugly really fast though as the NNP flag is inherited. Probably= best to avoid this option, but in theory it is possible to address this is= sue with type bounds. >=20 > --=20 > My Main Blog http://etbe.coker.com.au/ > My Documents Blog http://doc.coker.com.au/ >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --/04w6evG8XlLl3ft Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAlx9L1IACgkQJXSOVTf5 R2kENgv/V+avduhH1yFphIdXDMrmCHBnxmrsGnrfJWMNH5j7R5xIz96emKV8cBgt I+ML9lsX0jzhKGsIR1PVV5oNmR2KLNclW38U805iPyrkdGluoAqjJNd4yI0sLYZJ o0m1+yZ3CJG/uRfN/shs4AxOCy+VEi0vksM6/N+uW4D1oJYCo1E9CE6lWsAFOZJy 1ORXJ/qtiuw7SgCAVRQgG19r53EGKAg/2XsPIBZWSdZwl3IXbuYLbNSeXBxn6toD aVy7jLtG4vADS1wgTxUTzzVjCtCqmw7/Rv9+vVARhu/LCKQicWsiO49iXaVT0lwa Q2oU304vfq/olZbYAEU75Fz1SV5Tisg/dhf1ldpRdnOqXSj2CyqJ8msuXgAsHYmf RNcIMKVq2sFAz5kYPXAg1G5e1D4i3if9ZeUQpOOWOzXOFYrd0bXfhe4LYXzAwGBi q/+gnoW3XpClgUm0gsZ8Sm9UDnEmnenQLrPOT2JbJcm1QIckN4NqiC4UIHp70OIe X3k2TzVm =MvEt -----END PGP SIGNATURE----- --/04w6evG8XlLl3ft--