From: Russell Coker <russell@coker.com.au>
To: Dominick Grift <dominick.grift@defensec.nl>
Cc: SELinux Reference Policy mailing list
<selinux-refpolicy@vger.kernel.org>,
Chris PeBenito <pebenito@ieee.org>
Subject: Re: systemd and dontaudit
Date: Thu, 24 Jul 2025 00:29:54 +1000 [thread overview]
Message-ID: <5056689.31r3eYUQgx@dojacat> (raw)
In-Reply-To: <871pq758m9.fsf@defensec.nl>
On Wednesday, 23 July 2025 23:39:42 AEST Dominick Grift wrote:
> > It only happened repeatedly on one of my systems. I think that triggering
> > that particular condition required multiple settings, so just not allowing
> > statfs isn't necessarily enough, some other combination of things allowed
> > and denied seemed necessary to get it into that state. The one system
> > that had this had it persist across reboots but other systems never had
> > it. I had seen it briefly happen on other systems but a reboot fixed it.
> >
> > I didn't put as much effort into investigating this as I might have
> > because
> > the access in question is fairly innocuous.
>
> I suspect this is triggered by libcap-ng's init function:
> https://github.com/stevegrubb/libcap-ng/blob/master/src/cap-ng.c#L236
But it works most of the time while it appears that all of the systemd
programs (most of which are in domains which dontaudit that) work. Also in
the case where there was a problem it happened AFTER the program had
initialised, so the program worked for some tasks but not all and the init of
libcapng had already happened (that's from load time right?).
That said, the fact that a common shared library expects this is a good reason
to allow it. Also the fact that systemd programs seem to drag in heaps of
shared libraries at load time suggests that even if we can get it working now
we are likely to run into a variation of the problem on another library later
on.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
prev parent reply other threads:[~2025-07-23 14:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-23 0:15 systemd and dontaudit Russell Coker
2025-07-23 12:37 ` Chris PeBenito
2025-07-23 12:57 ` Russell Coker
2025-07-23 13:39 ` Dominick Grift
2025-07-23 14:29 ` Russell Coker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5056689.31r3eYUQgx@dojacat \
--to=russell@coker.com.au \
--cc=dominick.grift@defensec.nl \
--cc=pebenito@ieee.org \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.