Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1061002ybf; Thu, 27 Feb 2020 04:22:59 -0800 (PST) X-Google-Smtp-Source: APXvYqysArhrMZ6vSWkU3XtqKV7ZDSq/W3ExEj1Ab9WJB6mXKty/8/tNvOFG+OTA1EHax483xuoO X-Received: by 2002:a54:4e96:: with SMTP id c22mr3195360oiy.110.1582806179155; Thu, 27 Feb 2020 04:22:59 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582806179; cv=none; d=google.com; s=arc-20160816; b=kSdu6k1XDMYRIzJCOPQ8bk2GpFJGiysuXy8JkUE21c5JiZYT5UfrCghC0VRJy1d3la QXInBJYaJd/RVLuSxqhO+Sskh8uIOyPUljNR70vRFHgsvdi101RrcQG1nguCZHFtzKZ5 IG3AT7aTtsFq0pNolx/9Lsd8/oOFaQGiHL6R6uiI75lASpvKHTRx4BN6fFhvCFhnc2s/ SVLbGB8ACI52QFr06mYuJBMJHuiZXRNeTkI9ViFpey+tcLrbps965AphmpEALO2oaDb2 y1A6E9J0AuQTR0N6GymNalmHgSbpjC8tyy/exklmdNdZV1w8HCwjSnzMglmwCrv+KvmZ 4HNw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:dkim-signature; bh=94iUl4Uh+xv/rV1L2GkOgglZT0aathk6m5UKSiQY3lk=; b=aAGSY/RxpHWh4emRhrGrcO4FEzhjmi3vHXoz6TXoIsMzpl0p+rhHZo1FpeQfuWm+Vm 5ow6qV5D3ccteFUm/0J9qkx3k7e6WxA+BrMUeK7/asxqfFHzcFGKBSK1RfHYzJ45xr0N KEEclqpUwtO50D7S+UroAqCamCNfUOzqmdO4UIjcoXKcuyYIsCSr/ZYC0we4cHAA8kx0 VndXRBfDGSESmxxiXeu94Q7qAsBQEj562TZDc69gNfgsWw84hJYw9uHwwsX013hjhN+h A7ZHN9heohhiqS+JoJ/mdjL1UVvaTbpOfU7jBE9xKHQYcpyOGr5cr7y88JRurFOeWzcS 2fkQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZLIKEZWD; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o7si1443921ote.49.2020.02.27.04.22.55; Thu, 27 Feb 2020 04:22:59 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ZLIKEZWD; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728994AbgB0MUz (ORCPT + 14 others); Thu, 27 Feb 2020 07:20:55 -0500 Received: from mail-wm1-f47.google.com ([209.85.128.47]:53818 "EHLO mail-wm1-f47.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728946AbgB0MUy (ORCPT ); Thu, 27 Feb 2020 07:20:54 -0500 Received: by mail-wm1-f47.google.com with SMTP id f15so3314898wml.3 for ; Thu, 27 Feb 2020 04:20:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=94iUl4Uh+xv/rV1L2GkOgglZT0aathk6m5UKSiQY3lk=; b=ZLIKEZWDmS5kpnDegYPwp7WBw8+tY6c4ZFKYLmJe4FgI62iLifyLZMUC4vrPt0iEjv 8xo8LrU8tPu/IxCbdoyHOD0AT/88uOGZCyqio09siPJvRNolmNtwLRulopvR9Po7AviH uzfeNHV1dGXNzFU6Bbb4iXg+l4Pz5v9ZZSkUkFBoxbNYql6CAerlT5F/nuP7b3uHenT8 r1CW7uu5hKB045tkRkLujAVqNDZ44l0IDwqXGYeCm9UH9poPN4AeCHZLOKKKqqnWdI5F RnXN5hXKfJa8mlOyJh75N4Xk8sYGRkoMnUTX0UsLfYOJdPZ5rdvYgjMVNSkeiDRfP2oU hq4A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=94iUl4Uh+xv/rV1L2GkOgglZT0aathk6m5UKSiQY3lk=; b=XTqhf9SlKTrThpP/LAowDN1GlLuOCK2dRxB+KEfKZZS5yhUektH+l9tnSa/wJVvULG wP9JI7rEy1Ez8/NXltAxxfJj6E6tkP9+Ux5OQc95BNAY3pfeDTJGxu/idV7eAfuhq1AU dltH/xkGv8eNmJDlwTufN7dRg0NXUaFGIY8T5pl5sG/WWspSIxECVlFmozq6CxdUwvcG kPFQucd7tQ8X7Piv4u/H0qWhm4SKYKXQTMVX5/h8VIymevV7549JW3W4h0afO+jts/qZ e0Xd5fC6f3caQLKCog7ojL9SW9C47Ion3Lt4dE9hUca3Sa67TlNB8mwGaWfPwsHWjaIy aSUg== X-Gm-Message-State: APjAAAWGbAVHl+W/mD1EPuFI6qJ6Mu44PRr1dnDAp3eVc+hlfti9ct/H A9wg+oJnj+B0Xite3FQSMGit1t2N X-Received: by 2002:a05:600c:228f:: with SMTP id 15mr5322527wmf.56.1582806052377; Thu, 27 Feb 2020 04:20:52 -0800 (PST) Received: from brutus (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id n2sm8058716wro.96.2020.02.27.04.20.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 27 Feb 2020 04:20:51 -0800 (PST) From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: /run/systemd/inaccessible References: <6385652.IY5x3zMeex@xev> Date: Thu, 27 Feb 2020 13:20:49 +0100 In-Reply-To: <6385652.IY5x3zMeex@xev> (Russell Coker's message of "Thu, 27 Feb 2020 21:39:29 +1100") Message-ID: <87zhd4b4ri.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.3 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > allow systemd_logind_t init_var_run_t:chr_file write; > > audit2allow shows me that the above is attempted on Debian/Unstable. What's > this inaccessible directory about anyway? systemd-userruntimedir (245) now also creates it in /run/user/%{USERID} probably used for InaccessiblePath= directive but I am not sure. > > # ls -lZ /run/systemd/inaccessible > total 0 > b---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Feb 27 13:36 > blk > c---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Feb 27 13:36 > chr > d---------. 2 root root system_u:object_r:init_var_run_t:s0 40 Feb 27 13:36 > dir > p---------. 1 root root system_u:object_r:init_var_run_t:s0 0 Feb 27 13:36 > fifo > ----------. 1 root root system_u:object_r:init_var_run_t:s0 0 Feb 27 13:36 > reg > s---------. 1 root root system_u:object_r:init_var_run_t:s0 0 Feb 27 13:36 > sock -- Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift