From: dac.override@gmail.com (Dominick Grift) Date: Wed, 20 Dec 2017 17:33:23 +0100 Subject: [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t In-Reply-To: <76c5ca8c-dba8-0143-115b-7012297d3ffa@ieee.org> References: <20171215214823.4661-1-nicolas.iooss@m4x.org> <20171216100006.GA22262@julius.enp8s0.d30> <76c5ca8c-dba8-0143-115b-7012297d3ffa@ieee.org> Message-ID: <20171220163323.GB25507@julius.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote: > On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote: > > On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: > >> systemd defines in /usr/lib/systemd several directories which can > >> contain scripts or executable files: > >> - system-environment-generators/ and user-environment-generators/ > >> documented in > >> https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html > >> - system-shutdown/ documented in > >> https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html > >> - system-sleep/ documented in > >> https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html > >> > >> Currently the content of these directories is labelled lib_t, which > >> causes the following AVC on Arch Linux: > >> > >> avc: denied { execute_no_trans } for pid=10308 comm="systemd" > >> path="/usr/lib/systemd/system-environment-generators/10-arch" > >> dev="vda1" ino=543182 scontext=system_u:system_r:init_t > >> tcontext=system_u:object_r:lib_t tclass=file permissive=1 > > > > Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. > > > > In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. > > > > Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; > > > > Its a matter of taste, subjective. > > I don't think it's as subjective as you think. It keeps init_t from > getting extra permissions over time which PID 1 doesn't need. initrc_t > gets big, yes, but those are short-running processes, while init_t is > long-running. Yes except in practice it does not: take: cat /usr/lib/systemd/system-shutdown/mdadm.shutdown #!/bin/sh # We need to ensure all md arrays with external metadata # (e.g. IMSM, DDF) are clean before completing the shutdown. /usr/sbin/mdadm --wait-clean --scan If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t > > > >> For information /usr/lib/systemd/system-environment-generators/10-arch > >> only defines $PATH and its content is available on > >> https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem > >> --- > >> policy/modules/kernel/corecommands.fc | 4 ++++ > >> 1 file changed, 4 insertions(+) > >> > >> diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > >> index c2b93ecf5039..f2e4f5118d5f 100644 > >> --- a/policy/modules/kernel/corecommands.fc > >> +++ b/policy/modules/kernel/corecommands.fc > >> @@ -221,7 +221,11 @@ ifdef(`distro_gentoo',` > >> /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > >> /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) > >> +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) > >> /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0) > > > -- > Chris PeBenito > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171220/6e0d044f/attachment.bin