From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 20 Dec 2017 11:44:59 -0500 Subject: [refpolicy] [PATCH 1/1] corecommands: label systemd script directories bin_t In-Reply-To: <20171220163323.GB25507@julius.enp8s0.d30> References: <20171215214823.4661-1-nicolas.iooss@m4x.org> <20171216100006.GA22262@julius.enp8s0.d30> <76c5ca8c-dba8-0143-115b-7012297d3ffa@ieee.org> <20171220163323.GB25507@julius.enp8s0.d30> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 12/20/2017 11:33 AM, Dominick Grift via refpolicy wrote: > On Sun, Dec 17, 2017 at 03:33:12PM -0500, Chris PeBenito via refpolicy wrote: >> On 12/16/2017 05:00 AM, Dominick Grift via refpolicy wrote: >>> On Fri, Dec 15, 2017 at 10:48:23PM +0100, Nicolas Iooss via refpolicy wrote: >>>> systemd defines in /usr/lib/systemd several directories which can >>>> contain scripts or executable files: >>>> - system-environment-generators/ and user-environment-generators/ >>>> documented in >>>> https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html >>>> - system-shutdown/ documented in >>>> https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html >>>> - system-sleep/ documented in >>>> https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html >>>> >>>> Currently the content of these directories is labelled lib_t, which >>>> causes the following AVC on Arch Linux: >>>> >>>> avc: denied { execute_no_trans } for pid=10308 comm="systemd" >>>> path="/usr/lib/systemd/system-environment-generators/10-arch" >>>> dev="vda1" ino=543182 scontext=system_u:system_r:init_t >>>> tcontext=system_u:object_r:lib_t tclass=file permissive=1 >>> >>> Yes, but labeling these bin_t will cause systemd to run these in the initrc_t domain. This might, or might not be what you want. >>> >>> In my personal policy i created a special type for stuff i want systemd to run in the init_t domain instead of initrc_t: systemd_helper_exec_t. >>> >>> Then there is basically a rule : allow init_t systemd_helper_exec_t:file execute_no_trans; >>> >>> Its a matter of taste, subjective. >> >> I don't think it's as subjective as you think. It keeps init_t from >> getting extra permissions over time which PID 1 doesn't need. initrc_t >> gets big, yes, but those are short-running processes, while init_t is >> long-running. > > Yes except in practice it does not: > > take: > > cat /usr/lib/systemd/system-shutdown/mdadm.shutdown > #!/bin/sh > # We need to ensure all md arrays with external metadata > # (e.g. IMSM, DDF) are clean before completing the shutdown. > /usr/sbin/mdadm --wait-clean --scan > > If you run the above in initrc_t then mdadm has free reign, if you run it in init_t then systemd will run mdadm with a domain transition to mdadm_t No. The script transitions to initrc_t, and when the script execs mdadm, that process transitions to mdadm_t. -- Chris PeBenito