From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Fri, 15 Dec 2017 22:48:23 +0100 Subject: [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t Message-ID: <20171215214823.4661-1-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com systemd defines in /usr/lib/systemd several directories which can contain scripts or executable files: - system-environment-generators/ and user-environment-generators/ documented in https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html - system-shutdown/ documented in https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html - system-sleep/ documented in https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html Currently the content of these directories is labelled lib_t, which causes the following AVC on Arch Linux: avc: denied { execute_no_trans } for pid=10308 comm="systemd" path="/usr/lib/systemd/system-environment-generators/10-arch" dev="vda1" ino=543182 scontext=system_u:system_r:init_t tcontext=system_u:object_r:lib_t tclass=file permissive=1 For information /usr/lib/systemd/system-environment-generators/10-arch only defines $PATH and its content is available on https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem --- policy/modules/kernel/corecommands.fc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index c2b93ecf5039..f2e4f5118d5f 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',` /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) -- 2.15.0