Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp46224pxb; Wed, 27 Jan 2021 01:29:01 -0800 (PST) X-Google-Smtp-Source: ABdhPJwzgpmwpb36egGPHd2yJ+YeuQL/LHqQW4hOH0yuIrT7oaFjO0TBeieA1G0AZoar1No2iLUx X-Received: by 2002:a17:906:2c0e:: with SMTP id e14mr5960392ejh.299.1611739731492; Wed, 27 Jan 2021 01:28:51 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611739731; cv=none; d=google.com; s=arc-20160816; b=GVqPZScKMglaadGncrOWyUYsTLtzj3ApsFZvngJIX85H4DOroryjhI2EKXnlrtcyZP p6UeVk0oVnxscI3b9QX+1876WBHEYruQm4Uzpe9BvdkdK0bDQm302yCZ6NH347Ex8vB1 eRUXFyAjaB8oQoV31KardOmEtFGvNCHhX14ipwffC51VeJ6QgXRet3/SBdfyRopAtNRy uvVtPjpH2KJgzga1QHSIR1tRdPtOsm5xOBvCN8CD/v8KLOh91Z9Pzg7scYa1YZ6+CBdQ IhFcF0v/rrJ0BKtYROKEeHq0AWRJDSabD0BmhCOifn2129VldwUNk9hIwHxE9cdbjm6+ 2EnA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=+sW0z6qmUqtkqZxYVF/BQ/cyfyzdA4/WAZ8oyzmKlAs=; b=MuMfUILZzaSgrEC59vj2GWeL47oVTiFM44SZqRpDvy5Sq7rlefnjSCbFd2108vLoWX ExglXHGW0jrjlXAjei02gVL80AUcsikd4Nd1IFdyzCq5t6VK3eT58HR9ZqwcQUqtaWs5 InzI+NzapUSD10fU+CB6OiQvz7w6OnhvSJEG0uPpqF1Y17NYYWTFHPb6QYnkoyRYW4/p ZYvVPJ1nys4HpapiEwJ2Iahyw88R6eUFHG9WeJ7/sZbLUM37IzolqgxMSHyeqBJSk/0e Ge0mdQtTYtg1tjUAS4AinJCJccaXNXwnKjeY/Rh+rJu1lhS1EiKWwYobCodzQry63X3/ AeWA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=j4PPjR3J; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t17si657417edc.421.2021.01.27.01.28.22; Wed, 27 Jan 2021 01:28:51 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=j4PPjR3J; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233529AbhA0I4j (ORCPT + 16 others); Wed, 27 Jan 2021 03:56:39 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:58870 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233331AbhA0Iy0 (ORCPT ); Wed, 27 Jan 2021 03:54:26 -0500 Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 87DFA1602E; Wed, 27 Jan 2021 19:53:33 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611737614; bh=+sW0z6qmUqtkqZxYVF/BQ/cyfyzdA4/WAZ8oyzmKlAs=; l=2063; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=j4PPjR3Jf7A6UhpdhV5lewfnWreOy3D6bbCtD9w6h3E/DaEvVsZzG3xmCCcFJckj3 q3ekpL+ppG3ye5dqDBAJVzhRWjc0cq5rcKpSl3pcDokBgfhiYVQSVArudLo2Bb7uw3 WuFuMR9bJeJGKxYkQDkqBdrWZFHh9i+aJQ8ruwdA= From: Russell Coker To: Dominick Grift Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc kernel and system patches Date: Wed, 27 Jan 2021 19:53:30 +1100 Message-ID: <537253351.ELfjMz7iqO@liv> In-Reply-To: References: <43567489.y7f9mAODUD@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Wednesday, 27 January 2021 5:03:06 PM AEDT Dominick Grift wrote: > >> > @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal > >> > > >> > allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; > >> > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file > >> > read_file_perms; > >> > > >> > +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink; > >> > >> questionable > > > > Why? > > Not sure yet. other than that is looks incomplete and that i am > wondering why one would be bothering with this. > > Can you tell me a bit more about this event? It's just a fifo that systemd-nspawn left lying around and tmpfiles cleaned up. My way of not bothering is to just allow it. It doesn't seem to do any harm. > >> unconfined should be unconfined. > > > > certbot needs execmem, we generally don't want to give that to unconfined, > > so running certbot in a different domain seems better. > > Those day's are long gone. Nowaday's even `grep` does execmem. grep asks for execmem but seems to work fine without it. certbot won't function without it. > >> But in my personal view unconfined_t shouldnt run lvm with a domain > >> transition in the first place (defeats the purpose of the unconfined > >> domain)> > > I think the problem is the type transition rules. Run lvm etc as > > unconfined_t and then lvm run from init etc won't be able to access it's > > temporary files etc. > > why would lvm run for init have any busyness with temporary files? Seems > unlikely to me and nowaday's we have a lot more flexibility with > type-trans rules. But yes, its a bit late in the game now to change > this. It breaks the model though IMHO. type_transition lvm_t device_t:blk_file fixed_disk_device_t; type_transition lvm_t etc_t:file lvm_metadata_t; Here's a couple of the type_transition rules in the current policy that indicate problems if you removed the transition to lvm_t. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/