From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from markus.defensec.nl (markus.defensec.nl [45.80.168.93]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1360F351C27 for ; Fri, 10 Jul 2026 10:09:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=45.80.168.93 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783678160; cv=none; b=QdbmgYsmiR93OR/KN/dxbqCRzrO9yfXmxUomWn0QFcKr19uXuiAw3tG9Uz2343RTyVWDnpcS8QhKvM5Ic879OR/9pFGje0+NJerMl2vyOOp4xTn1erA594SYVoCQdId3Cfa2lRQNhFx4unRjoq62cAiorGTY7b20bPW0t6TLgFY= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783678160; c=relaxed/simple; bh=wnp2ggydvOrOb7nz+EHDBUrQmYtf+o1RtxGITB4BYkQ=; h=From:To:Cc:Subject:In-Reply-To:References:Date:Message-ID: MIME-Version:Content-Type; b=sKNTcuILdcFlAJy3qcy6vKQaPeruS5K+HbN6otAebSSEL/1kevH06ToqQNYqq7khswUYdVFj/1OjCgWLpsBSSS+epoYP0rtI0B2mSdYjpsio0GuaqNFWkp3MazN/K6Eec0yASe+27xAOaJR00yYPaaGVrqz6V8XQkYq8XaLUQKA= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=defensec.nl; spf=pass smtp.mailfrom=defensec.nl; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b=fQFhTmpa; arc=none smtp.client-ip=45.80.168.93 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=defensec.nl Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=defensec.nl Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="fQFhTmpa" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=defensec.nl; s=default; t=1783677878; bh=wnp2ggydvOrOb7nz+EHDBUrQmYtf+o1RtxGITB4BYkQ=; h=From:To:Cc:Subject:In-Reply-To:References:Date:From; b=fQFhTmpaZafsoWYjxfk4l+jK/8uAwI9BzEnoSkOB71c9mntIYBNwAubVxtVe0en1e m06sxfCER12RnSiDA/VwE64XGyY3fwwkMJfCJW4nHo1d1wpgmBD4yH1NEk13ow94Ys UC4wW/NbnPiHn6R6IESNkMs2Q3Mh1cGEPcQ5ySrY= Received: from nimbus (nimbus.defensec.nl [IPv6:2a10:3781:2099::514]) by markus.defensec.nl (Postfix) with ESMTPSA id 219352C743F; Fri, 10 Jul 2026 12:04:38 +0200 (CEST) From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: /run/credentials In-Reply-To: <2526945.QCnGb9OGeP@dojacat> (Russell Coker's message of "Fri, 10 Jul 2026 19:29:31 +1000") References: <2526945.QCnGb9OGeP@dojacat> Date: Fri, 10 Jul 2026 12:04:37 +0200 Message-ID: <87h5m740ui.fsf@defensec.nl> User-Agent: Gnus/5.13 (Gnus v5.13) Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain Russell Coker writes: > Does anyone have any policy for credentials? I do but it did you age as well as it could have. > > Below is what I'm getting on my systems running Debian/Testing, directories > like the following with no files in them. > > # find /run/credentials/ > /run/credentials/ > /run/credentials/getty@tty2.service > /run/credentials/systemd-resolved.service > /run/credentials/systemd-journald.service > # find /run/credentials/ -type f > # > > Currently what is happening is daemons trying to read their own dir and being > denied, here's an example: > > type=AVC msg=audit(1783593117.796:143): avc: denied { open } for pid=1034 > comm="agetty" path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1 > scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 > tclass=dir permissive=1 > > I was thinking of adding a credentials_runtime_t type and labelling everything > under /run/credentials with it, giving daemons read-access to directories and > wait to write real policy until people make daemons actually use it. Did you read this: https://systemd.io/CREDENTIALS/ -- gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift Mastodon: @kcinimod@defensec.nl