From: Dominick Grift <dac.override@gmail.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: selinux@tycho.nsa.gov
Subject: Re: continuation of systemd/SELinux discussion from Github
Date: Wed, 2 Dec 2015 22:42:29 +0100 [thread overview]
Message-ID: <20151202214228.GF1028@x250> (raw)
In-Reply-To: <565F6167.5090507@tycho.nsa.gov>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On Wed, Dec 02, 2015 at 04:23:51PM -0500, Stephen Smalley wrote:
>
> So there the systemd access controls wouldn't come into play.
>
> For confined user roles, systemd-run --user <command> failed on Fedora 22
> with:
>
> Failed to start transient service unit: Access denied
>
> and journalctl showed:
>
> systemd[15007]: Can't send to audit system: USER_AVC avc: denied { start }
> for auid=N uid=N gid=N path="/run/user/N/systemd/user/run-PID.service"
> cmdline="systemd-run --user id"
> scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:user_tmp_t:s0 tclass=service
>
> So removing the systemd --user controls is a regression in the protection
> being provided in Fedora, IIUC, although I'll let the Fedora SELinux
> maintainers speak to that.
Yes and my use case as well becuase like i suggested:
any process that needs to be able to start any system-wide systemd user
unit will be be able to start all of them
currently this might not sound applicable to much but in the future
there will be potentially many of those units and processes will then
start using systemctl --user to control these units. So then this will
be come an issue.
Also keep in mind that users can maintain user units in ~/.config/systemd
- --
02DFF788
4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788
https://sks-keyservers.net/pks/lookup?op=get&search=0x314883A202DFF788
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCgAGBQJWX2XAAAoJENAR6kfG5xmcrB0MAL8Lwgtm8qrSPpvsiqA/WF4T
J36dx9HFaiu6DSu4/F69TDynvJluiTGPLLZwUUUrJWxl65LxFDhKIXl4fO3MQogv
g5TlBI8dDxiMk0XYO8w32l6ucpGaMmc63ViP/QIfKv8jSXu1ZNZ7ozF1wPr/lahu
aW7bziyHD9FJMKGGHwnj7mnHkKBTqI/m6EI8pyHTzo2rDZXuyzc2jaEGfgKzkuUp
M6GPUGcPIewrMPw+/GduMORezZnmeWYVxl5cpEywf07Z11IYibVmLLPBPMkrt00Q
GgaOrJ3iyYsD9ecbejCqOrlKtna7MRioY/lX8XeMwYMdkZ2Hl4e6lpaC90SI0rMM
zzCGNhK/mXxfptpOhTQ7WqcF3HIDG4ipEQdvGXMrd1MYq3DzXkfbvrJOBsHybvJN
jRJEpjRRgKiweaWcWYa6wv5Eax/VOn64snD0us2nurGiBzr8O87ff6Egk+MitX/d
j3guYA/CfOyp1ZgP6LIHqJbU0eIQSbMSHqf/L5KCjQ==
=Y4Ct
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2015-12-02 21:42 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-02 10:18 continuation of systemd/SELinux discussion from Github Dominick Grift
2015-12-02 10:31 ` Dominick Grift
2015-12-02 18:20 ` Stephen Smalley
2015-12-02 19:47 ` Dominick Grift
2015-12-02 21:23 ` Stephen Smalley
2015-12-02 21:42 ` Dominick Grift [this message]
2015-12-03 16:02 ` Miroslav Grepl
2015-12-03 16:11 ` Stephen Smalley
2015-12-03 17:30 ` Dominick Grift
2015-12-04 15:55 ` Dominick Grift
2015-12-10 9:21 ` Miroslav Grepl
2015-12-03 16:30 ` Dominick Grift
2015-12-03 17:20 ` Dominick Grift
2015-12-03 20:25 ` Dominick Grift
2015-12-02 21:37 ` Dominick Grift
2015-12-02 20:34 ` Dominick Grift
2015-12-03 9:09 ` Laurent Bigonville
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20151202214228.GF1028@x250 \
--to=dac.override@gmail.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.