From: dac.override@gmail.com (Dominick Grift) Date: Sat, 16 Dec 2017 11:00:06 +0100 Subject: [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t In-Reply-To: <20171215214823.4661-1-nicolas.iooss@m4x.org> References: <20171215214823.4661-1-nicolas.iooss@m4x.org> Message-ID: <20171216100006.GA22262@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: > systemd defines in /usr/lib/systemd several directories which can > contain scripts or executable files: > - system-environment-generators/ and user-environment-generators/ > documented in > https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html > - system-shutdown/ documented in > https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html > - system-sleep/ documented in > https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html > > Currently the content of these directories is labelled lib_t, which > causes the following AVC on Arch Linux: > > avc: denied { execute_no_trans } for pid=10308 comm="systemd" > path="/usr/lib/systemd/system-environment-generators/10-arch" > dev="vda1" ino=543182 scontext=system_u:system_r:init_t > tcontext=system_u:object_r:lib_t tclass=file permissive=1 Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; Its a matter of taste, subjective. > > For information /usr/lib/systemd/system-environment-generators/10-arch > only defines $PATH and its content is available on > https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem > --- > policy/modules/kernel/corecommands.fc | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > index c2b93ecf5039..f2e4f5118d5f 100644 > --- a/policy/modules/kernel/corecommands.fc > +++ b/policy/modules/kernel/corecommands.fc > @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',` > /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) > -- > 2.15.0 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171216/3a23b676/attachment.bin