All of lore.kernel.org
 help / color / mirror / Atom feed
* /run/credentials
@ 2026-07-10  9:29 Russell Coker
  2026-07-10 10:04 ` /run/credentials Dominick Grift
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2026-07-10  9:29 UTC (permalink / raw)
  To: selinux-refpolicy

Does anyone have any policy for credentials?  

Below is what I'm getting on my systems running Debian/Testing, directories 
like the following with no files in them.

# find /run/credentials/
/run/credentials/
/run/credentials/getty@tty2.service
/run/credentials/systemd-resolved.service
/run/credentials/systemd-journald.service
# find /run/credentials/ -type f
# 

Currently what is happening is daemons trying to read their own dir and being 
denied, here's an example:

type=AVC msg=audit(1783593117.796:143): avc:  denied  { open } for  pid=1034 
comm="agetty" path="/run/credentials/getty@tty1.service" dev="tmpfs" ino=1 
scontext=system_u:system_r:getty_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
tclass=dir permissive=1

I was thinking of adding a credentials_runtime_t type and labelling everything 
under /run/credentials with it, giving daemons read-access to directories and 
wait to write real policy until people make daemons actually use it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-07-10 10:09 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-07-10  9:29 /run/credentials Russell Coker
2026-07-10 10:04 ` /run/credentials Dominick Grift

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.