* /run/credentials
@ 2026-07-10 9:29 Russell Coker
2026-07-10 10:04 ` /run/credentials Dominick Grift
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2026-07-10 9:29 UTC (permalink / raw)
To: selinux-refpolicy
Does anyone have any policy for credentials?
Below is what I'm getting on my systems running Debian/Testing, directories
like the following with no files in them.
# find /run/credentials/
/run/credentials/
/run/credentials/getty@tty2.service
/run/credentials/systemd-resolved.service
/run/credentials/systemd-journald.service
# find /run/credentials/ -type f
#
Currently what is happening is daemons trying to read their own dir and being
denied, here's an example:
type=AVC msg=audit(1783593117.796:143): avc: denied { open } for pid=1034
comm="agetty" path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
tclass=dir permissive=1
I was thinking of adding a credentials_runtime_t type and labelling everything
under /run/credentials with it, giving daemons read-access to directories and
wait to write real policy until people make daemons actually use it.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: /run/credentials
2026-07-10 9:29 /run/credentials Russell Coker
@ 2026-07-10 10:04 ` Dominick Grift
0 siblings, 0 replies; 2+ messages in thread
From: Dominick Grift @ 2026-07-10 10:04 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> Does anyone have any policy for credentials?
I do but it did you age as well as it could have.
>
> Below is what I'm getting on my systems running Debian/Testing, directories
> like the following with no files in them.
>
> # find /run/credentials/
> /run/credentials/
> /run/credentials/getty@tty2.service
> /run/credentials/systemd-resolved.service
> /run/credentials/systemd-journald.service
> # find /run/credentials/ -type f
> #
>
> Currently what is happening is daemons trying to read their own dir and being
> denied, here's an example:
>
> type=AVC msg=audit(1783593117.796:143): avc: denied { open } for pid=1034
> comm="agetty" path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1
> scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:tmpfs_t:s0
> tclass=dir permissive=1
>
> I was thinking of adding a credentials_runtime_t type and labelling everything
> under /run/credentials with it, giving daemons read-access to directories and
> wait to write real policy until people make daemons actually use it.
Did you read this:
https://systemd.io/CREDENTIALS/
--
gpg --auto-key-locate clear,nodefault,wkd --locate-external-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
Mastodon: @kcinimod@defensec.nl
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-07-10 10:09 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-10 9:29 /run/credentials Russell Coker
2026-07-10 10:04 ` /run/credentials Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.