Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp1400713ybf; Thu, 27 Feb 2020 10:14:04 -0800 (PST) X-Google-Smtp-Source: APXvYqyMfU86NswMuZ2/gm0pySj3DdsPaIzWS+MMt7gxvOMA29KQG4kMhamkG9u1pRavH0w/Aooj X-Received: by 2002:a05:6830:1e24:: with SMTP id t4mr183720otr.28.1582827243870; Thu, 27 Feb 2020 10:14:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582827243; cv=none; d=google.com; s=arc-20160816; b=0bRzzxZG/Xh7EdRH0ADMlcuM+LjBS7e+EgIeNPY64BvJxO81LqlcgsA2cPHiKLIF73 WPVFpUbjP+3QC/HYiwj3O7wUKQ/ig+EdPxqr+Llen+XoWCe3k4kP/FjwQv/rZVT1vJKW HNw0D6BDq11AWmLLXPQOjtHXn5uNsZqdrOAjIJ8J2tMdzuNaERN+0StNHL+r7vjCGT6a 4r+Y7Ve2xemxCjMvI65V38lXu2yMPkdOR1KpDc3TbeRDnxWxgJoaKmvg9ASJfNei75Zq 7P+OevWLCjjo7+rjjmMjMGKtTkq1kKK5bLETl4T72wtltv/ebB1Q/myv95SQCau9YBJx f78g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=agJbZK/lJHs1/1Jdovx8bOEBZ3Wv1wTtDEUDWgJ226g=; b=ulGAI5fEORjDDh8NpVovQg93WaRPAO4ENYpmUF/pzli7/Av329xQljHtWKE2FkO09f UVbEJIJUYGvNBBr5Tz4AHQZLvRfF87CY9YyIaS/kMEMoyRq7m3BThkXsVUVca7s11Q0w CM2krTHK5ADkQWKTwXuFZzFyqtcWwXXzznPupUv3PbgK+oTTE81D1mR8TfYqYQUtmUK9 RYgGCntofM5syt/ZeKMQXWltS4Qx/BSYflSt7zK1kNwtodPoLXMOXPnKkmixTppxG6h1 r6Y/of9vpAfk2Lon/tLNd7WdfZ724eDVoyizWCh6UUTKfkbzj8bEUy+x81+9K5pT0Ial JO+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bIZP3C7F; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k10si2096734otn.323.2020.02.27.10.14.00; Thu, 27 Feb 2020 10:14:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=bIZP3C7F; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729308AbgB0SNs (ORCPT + 13 others); Thu, 27 Feb 2020 13:13:48 -0500 Received: from mail-lj1-f171.google.com ([209.85.208.171]:32872 "EHLO mail-lj1-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726877AbgB0SNs (ORCPT ); Thu, 27 Feb 2020 13:13:48 -0500 Received: by mail-lj1-f171.google.com with SMTP id y6so311665lji.0 for ; Thu, 27 Feb 2020 10:13:47 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=agJbZK/lJHs1/1Jdovx8bOEBZ3Wv1wTtDEUDWgJ226g=; b=bIZP3C7F7jVCE4KMAsQJiQLAawRn/eT4qLsl09w83ER3jTouqsCYJsCxFYRfR/pUKS bdHaLTf/Z80ocH67zGrDlSn5GZu/3y7Yz3Ta/lwFaZQ87qonQPClbVXw8tMBH0EU2egH uvQEzK4l9rdO00Ph2Lvhe7MtqmhDkUm6awslsoT4zDtZPuIosS+sLODwVG/rTmRlYzGy jJosFmXS6S5mFMe+iWGcXGj9uKP1KBR3j3KKCU+jlB1P7APaI7/s2cqyfVoTWQSrFKPK qX1uieRC3L68g07yFr7E/xKISjk/T5+/40nKy+QEa+vihpKmKkdydQvnOcpU/m74tFut o6ZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=agJbZK/lJHs1/1Jdovx8bOEBZ3Wv1wTtDEUDWgJ226g=; b=aHBZ1OkhSd6zT4H2t1Q1zXnae78rIqT9Ip54+pmeQ6Gu8c0P3darz1lLKCL9S6r5G1 btnf9NLYwkZYKfhj5me+f1f99JHa4OncVKY/Upc4ezBGXkVT9adXXXJmmWPfVmjwxE7J 0MBhly6yJPytIrNkEaP4Z5l/34WczFwWwTwrFjIQy8I9MWE0bQNe+eEsgLmxgrG2EVHA aNewVcZkkoWBNqig3pcE4j90cY61u4PfPXu3p17pM790gFqloblqxRiPOrTK4TFf5FDT Z/6PBI6wyflo+usXMptdyme1JcQcqn2KLytpfwtzADNOxhuQb6m4ThpChoXnzrbQ21zx V02w== X-Gm-Message-State: ANhLgQ3hPrEOgz0ClHIKGgrrLIQMAVLsIy5LvcbHf/tvvxwwnzxeTq8w uE/Rz1/QPtQzTsjCVKap3uNEKYnA X-Received: by 2002:a2e:b5ac:: with SMTP id f12mr223478ljn.0.1582827225868; Thu, 27 Feb 2020 10:13:45 -0800 (PST) Received: from [192.168.1.38] (88-114-211-119.elisa-laajakaista.fi. [88.114.211.119]) by smtp.gmail.com with ESMTPSA id z17sm3725527ljm.19.2020.02.27.10.13.44 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Thu, 27 Feb 2020 10:13:45 -0800 (PST) Subject: Re: /run/systemd/inaccessible To: Dominick Grift , Russell Coker Cc: selinux-refpolicy@vger.kernel.org References: <6385652.IY5x3zMeex@xev> <87zhd4b4ri.fsf@gmail.com> From: Topi Miettinen Message-ID: Date: Thu, 27 Feb 2020 20:13:29 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <87zhd4b4ri.fsf@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 27.2.2020 14.20, Dominick Grift wrote: > Russell Coker writes: > >> allow systemd_logind_t init_var_run_t:chr_file write; >> >> audit2allow shows me that the above is attempted on Debian/Unstable. What's >> this inaccessible directory about anyway? > > systemd-userruntimedir (245) now also creates it in /run/user/%{USERID} The relevant code has this comment: /* Set up inaccessible nodes now so they're available if we decide to use them with user namespaces. */ > probably used for InaccessiblePath= directive but I am not sure. Yes, these are bind mounted over the path which is wanted inaccessible. Perhaps this could be improved by giving them a dedicated label and then some new TE rules could prevent anything other than PID1 from managing them. Now if a service has CAP_SYS_ADMIN and is not blocked by seccomp filters from using mount and umount system calls, it could dismantle the bind mount. -Topi >> >> # ls -lZ /run/systemd/inaccessible >> total 0 >> b---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Feb 27 13:36 >> blk >> c---------. 1 root root system_u:object_r:init_var_run_t:s0 0, 0 Feb 27 13:36 >> chr >> d---------. 2 root root system_u:object_r:init_var_run_t:s0 40 Feb 27 13:36 >> dir >> p---------. 1 root root system_u:object_r:init_var_run_t:s0 0 Feb 27 13:36 >> fifo >> ----------. 1 root root system_u:object_r:init_var_run_t:s0 0 Feb 27 13:36 >> reg >> s---------. 1 root root system_u:object_r:init_var_run_t:s0 0 Feb 27 13:36 >> sock >