From: dac.override@gmail.com (Dominick Grift) Date: Sat, 4 Mar 2017 13:26:34 +0100 Subject: [refpolicy] [PATCH] systemd-nspawn In-Reply-To: <0ae32e3a-4447-62fc-736a-19e5db03ff44@ieee.org> References: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> <201703010112.08588.russell@coker.com.au> <0ae32e3a-4447-62fc-736a-19e5db03ff44@ieee.org> Message-ID: <20170304122634.GA3913@t450.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, Mar 04, 2017 at 07:16:41AM -0500, Chris PeBenito via refpolicy wrote: > On 02/28/17 09:12, Russell Coker via refpolicy wrote: > > On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote: > >> Index: refpolicy-2.20170227/policy/modules/system/logging.fc > >> > > =================================================================== > >> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc > >> +++ refpolicy-2.20170227/policy/modules/system/logging.fc > >> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',` > >> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run > >> _t,s0) > >> /run/log -s gen_context(system_u:object_r:devlog_t,s0) > >> /run/log -d gen_context(system_u:object_r:var_log_t,s0- > >> mls_systemhigh) > >> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system > >> high) > >> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r > >> un_t,s0) > >> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r > >> un_t,mls_systemhigh) > >> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r > >> un_t,mls_systemhigh) > > > > This doesn't really belong in the nspawn patch. The reason it's in is nspawn > > was left after I split everything else into different patches. > > > > It's not a mistake, that labelling of /run/log/journal breaks systemd-journald > > and needs to be removed. When it's removed the entry for /var/run/log/journal > > takes over and gives the desired result. I don't know why /run/log/journal > > gets priority on my system. > > > > We need to fix this /run vs /var/run thing. We need one canonical name and we > > need to change everything to it. Chris, you want me to write a patch to > > change everything to /run? That might cause issues. SELinux aware programs will use matchpathcon similar functionality to look up the context of the to be created files They will end up thinking that file needs to be labeled var_t because they still look up using the /var/run path This is an issue with many tmpfiles snippets but not only that, package managers might fail for the same reason: /run/netreport: avc: denied { associate } for pid=13859 comm="dnf" name="netreport" dev="tmpfs" ino=20423 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0 /run/screen: avc: denied { associate } for pid=13859 comm="dnf" name="screen" dev="tmpfs" ino=20864 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0 Even if var_t would be allowed to associated with xattrfs fs, the files would still end up mislabeled: var_t > > Yes, I'd take that patch as a standalone. Should I still look at this one? > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170304/577bd1a7/attachment.bin