From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.sws.net.au (smtp.sws.net.au [144.76.186.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 248503DCD9F for ; Fri, 10 Jul 2026 09:36:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=144.76.186.9 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783676168; cv=none; b=BWAGnHYEj7j87kv2Pl5nlvyjN2ALn3DtGzzNIPS+lZHwJgZhcHoia2bU/w4GXx10JDK91AGL2fvhObRZRS+sZYmNnMSw+UP1sb53hJfmLRiXPPzS+N0M3A6d7fJhbP5hpfknUTA6g3Uj2PNLJLgSTCB19inA+L8L20Y3ZI6SRdQ= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783676168; c=relaxed/simple; bh=krrpMEn0bzEZZZgygrpC/5Vvsg/NCXZPOO/u+m0Ot6o=; h=From:To:Subject:Date:Message-ID:MIME-Version:Content-Type; b=s7rwBSdyAHxaREAs/YRmdOr62nPtuuWF+eUGKw1Y+LWx2023+FkRzQ3/SDhRKjBQ5rXMC4SiWh2FrYd+SMnQdEYKvpsPGfH8QbA9ngYl3bmMmnuk3bSHWOcmcvDH2qCBI+7tfiFDeHpdhRkpvYZUF396P/fzUHjF98D5ub1ZB2o= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au; spf=pass smtp.mailfrom=coker.com.au; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b=ipyF7XuF; arc=none smtp.client-ip=144.76.186.9 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=coker.com.au Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=coker.com.au Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="ipyF7XuF" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1783675743; bh=rQx6a+cmSKVbA4lo2gDX3YBQe3Sly80ey4+/CEG/5ac=; l=1060; h=From:To:Subject:Date:From; b=ipyF7XuFJ9jN7LzJAL7yLq1SATcWf9+PYag5yWMg9vTdJtLPbiFI/tuNRrd2k9FvX o9tm21qlI4TgJW3g2xkGjzR8b5jEZIENx0i8Fkwj3z4o6RX7L8D1Mm8bRDFrpVg38P JePbVBuKsxIcs/olm5pJPb4TTAM/043g97BGWb+U= Received: from liv.coker.com.au (unknown [IPv6:2001:4479:6706:1e00:5b25:5c6d:bad2:791]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange x25519 server-signature ECDSA (prime256v1) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 422BF136C3 for ; Fri, 10 Jul 2026 19:29:01 +1000 (AEST) From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: /run/credentials Date: Fri, 10 Jul 2026 19:29:31 +1000 Message-ID: <2526945.QCnGb9OGeP@dojacat> Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="utf-8" Does anyone have any policy for credentials? Below is what I'm getting on my systems running Debian/Testing, directories like the following with no files in them. # find /run/credentials/ /run/credentials/ /run/credentials/getty@tty2.service /run/credentials/systemd-resolved.service /run/credentials/systemd-journald.service # find /run/credentials/ -type f # Currently what is happening is daemons trying to read their own dir and being denied, here's an example: type=AVC msg=audit(1783593117.796:143): avc: denied { open } for pid=1034 comm="agetty" path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1 scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir permissive=1 I was thinking of adding a credentials_runtime_t type and labelling everything under /run/credentials with it, giving daemons read-access to directories and wait to write real policy until people make daemons actually use it. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/