From: dac.override@gmail.com (Dominick Grift) Date: Sat, 4 Mar 2017 14:12:10 +0100 Subject: [refpolicy] [PATCH] systemd-nspawn In-Reply-To: <44624a8d-de0f-8654-9385-247baabbc938@ieee.org> References: <20170228110557.ck7x4ligazrhdnrx@athena.coker.com.au> <201703010112.08588.russell@coker.com.au> <0ae32e3a-4447-62fc-736a-19e5db03ff44@ieee.org> <20170304122634.GA3913@t450.enp8s0.d30> <44624a8d-de0f-8654-9385-247baabbc938@ieee.org> Message-ID: <20170304131210.GB3913@t450.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sat, Mar 04, 2017 at 07:29:07AM -0500, Chris PeBenito via refpolicy wrote: > On 03/04/17 07:26, Dominick Grift via refpolicy wrote: > > On Sat, Mar 04, 2017 at 07:16:41AM -0500, Chris PeBenito via refpolicy wrote: > >> On 02/28/17 09:12, Russell Coker via refpolicy wrote: > >>> On Tue, 28 Feb 2017 10:05:57 PM Russell Coker via refpolicy wrote: > >>>> Index: refpolicy-2.20170227/policy/modules/system/logging.fc > >>>> > >>> =================================================================== > >>>> --- refpolicy-2.20170227.orig/policy/modules/system/logging.fc > >>>> +++ refpolicy-2.20170227/policy/modules/system/logging.fc > >>>> @@ -64,7 +64,6 @@ ifdef(`distro_redhat',` > >>>> /run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run > >>>> _t,s0) > >>>> /run/log -s gen_context(system_u:object_r:devlog_t,s0) > >>>> /run/log -d gen_context(system_u:object_r:var_log_t,s0- > >>>> mls_systemhigh) > >>>> -/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_system > >>>> high) > >>>> /run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_r > >>>> un_t,s0) > >>>> /run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r > >>>> un_t,mls_systemhigh) > >>>> /run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_r > >>>> un_t,mls_systemhigh) > >>> > >>> This doesn't really belong in the nspawn patch. The reason it's in is nspawn > >>> was left after I split everything else into different patches. > >>> > >>> It's not a mistake, that labelling of /run/log/journal breaks systemd-journald > >>> and needs to be removed. When it's removed the entry for /var/run/log/journal > >>> takes over and gives the desired result. I don't know why /run/log/journal > >>> gets priority on my system. > >>> > >>> We need to fix this /run vs /var/run thing. We need one canonical name and we > >>> need to change everything to it. Chris, you want me to write a patch to > >>> change everything to /run? > > > > That might cause issues. SELinux aware programs will use matchpathcon similar functionality to look up the context of the to be created files > > They will end up thinking that file needs to be labeled var_t because they still look up using the /var/run path > > > > This is an issue with many tmpfiles snippets but not only that, package managers might fail for the same reason: > > > > /run/netreport: > > > > avc: denied { associate } for pid=13859 comm="dnf" name="netreport" dev="tmpfs" ino=20423 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0 > > > > /run/screen: > > > > avc: denied { associate } for pid=13859 comm="dnf" name="screen" dev="tmpfs" ino=20864 scontext=sys.id:sys.role:files.generic_var.var_file:s0 tcontext=sys.id:sys.role:fs.tmpfs.fs:s0 tclass=filesystem permissive=0 > > > > Even if var_t would be allowed to associated with xattrfs fs, the files would still end up mislabeled: var_t > > I don't follow what the issue would be. If everything points to /run > and there is a /var/run -> /run substitution, I would think it would > work fine. Oops yes, sorry, the issue is if you do not add the subs ... > > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170304/b871771c/attachment-0001.bin