From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id B7112C433E0 for ; Fri, 25 Dec 2020 05:13:36 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6AC8222255 for ; Fri, 25 Dec 2020 05:13:36 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725554AbgLYFNP (ORCPT ); Fri, 25 Dec 2020 00:13:15 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:34346 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725648AbgLYFNP (ORCPT ); Fri, 25 Dec 2020 00:13:15 -0500 X-Greylist: delayed 111252 seconds by postgrey-1.27 at vger.kernel.org; Fri, 25 Dec 2020 00:13:15 EST Received: from liv.coker.com.au (c220-237-144-98.sunsh21.vic.optusnet.com.au [220.237.144.98]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id A197BEC7A; Fri, 25 Dec 2020 16:12:32 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1608873153; bh=LLGJN9GUNjOgG6Fu8Z2p4f5kr1DFqeqa3R6AWfauiVY=; l=1933; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qMFoGT8UD05QpyXJd01eaFftp7Zgngb+KJeG3Swq5/qMB4Akc9mwmAWiGO63TB9Oi u+p2eLxO4X9gbwaJ4So3yaZdrMnYmTpV2KDbCrCxsIezHX4LpkWbP/v+3BUMU+Ma/h r+zbFh0Y3b4DtqtUWrRLxrs+ZbLurIVB9+3tQCeE= From: Russell Coker To: Dominick Grift Cc: selinux-refpolicy@vger.kernel.org Subject: Re: machinectl shell policy Date: Fri, 25 Dec 2020 16:12:24 +1100 Message-ID: <1723812.Y751QtlBzf@liv> In-Reply-To: References: <8322849.62pqQp6Oog@liv> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 24 December 2020 7:37:50 PM AEDT Dominick Grift wrote: > > To enable "machinectl shell" on recent versions of systemd we need > > something like the above policy (which is not complete or ideal, still > > doesn't work so no point polishing it) and something for the below. What > > is the below about? > this should be thoroughly addressed. machined creates a login pty that > gets relabeled on login as per type_change rules. Currently it's not being relabeled on Debian, but that's a separate issue. > > type=USER_AVC msg=audit(1608759091.934:1799): pid=324 uid=108 > > auid=4294967295 ses=4294967295 > > subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { > > 0x2 } for msgtype=error > > error_name=org.freedesktop.DBus.Error.FileNotFound dest=:1.18 spid=2642 > > tpid=2706 scontext=system_u:system_r:systemd_machined_t:s0 > > tcontext=bofh:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=(null) permissive=0 > > exe="/usr/bin/dbus-daemon" sauid=108 hostname=? addr=? > > terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus" > > Yes i noticed the above as well on debian with dbus-daemon, i dont see > any of these on fedora with dbus-broker > > By the way we probably shouldnt use the same dbus policy for both > dbus-daemon and dbus-broker because theyre pretty different. > > * dbus-broker does not check method returns (dbus-daemon does) > * dbus-broker is systemd specific (dbus activation works via systemd) https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=892001 We have work in progress on dbus-broker in Debian. Would it make sense to only support dbus-broker in SE Linux policy? Being forced to use only 1 of the 2 dbus programs (and the newer and faster 1 of the 2) is a very small trade-off, smaller than some of the other trade-offs for running SE Linux. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/