All of lore.kernel.org
 help / color / mirror / Atom feed
From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: /run/credentials
Date: Fri, 10 Jul 2026 12:04:37 +0200	[thread overview]
Message-ID: <87h5m740ui.fsf@defensec.nl> (raw)
In-Reply-To: <2526945.QCnGb9OGeP@dojacat> (Russell Coker's message of "Fri, 10 Jul 2026 19:29:31 +1000")

Russell Coker <russell@coker.com.au> writes:

> Does anyone have any policy for credentials?  

I do but it did you age as well as it could have.

>
> Below is what I'm getting on my systems running Debian/Testing, directories 
> like the following with no files in them.
>
> # find /run/credentials/
> /run/credentials/
> /run/credentials/getty@tty2.service
> /run/credentials/systemd-resolved.service
> /run/credentials/systemd-journald.service
> # find /run/credentials/ -type f
> # 
>
> Currently what is happening is daemons trying to read their own dir and being 
> denied, here's an example:
>
> type=AVC msg=audit(1783593117.796:143): avc:  denied  { open } for  pid=1034 
> comm="agetty" path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1 
> scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
> tclass=dir permissive=1
>
> I was thinking of adding a credentials_runtime_t type and labelling everything 
> under /run/credentials with it, giving daemons read-access to directories and 
> wait to write real policy until people make daemons actually use it.

Did you read this:

https://systemd.io/CREDENTIALS/


-- 
gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl

      reply	other threads:[~2026-07-10 10:09 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-07-10  9:29 /run/credentials Russell Coker
2026-07-10 10:04 ` Dominick Grift [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87h5m740ui.fsf@defensec.nl \
    --to=dominick.grift@defensec.nl \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.