From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8DC2635973 for ; Mon, 9 Dec 2024 14:12:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=13.77.154.182 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733753549; cv=none; b=o57K3IaJOzuxnbpwh9ii0/fZ0cKij4yeU227yqUFBVcp5xY6kMSvSkRPdENR9GypRhNsP8A3q762nalajAKQKxRzTfQQSrzfYOpcdkImFGJ9JBhjUQLzQ5CiJWv4Mwjw3RNM+ll9QOE+ScJQVtcx7cyjPioaTk8v4yYgoKaOESI= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1733753549; c=relaxed/simple; bh=EPDefzkddceuSrnOADtNIEjAEOSi4sxaHmREJoyXdaA=; h=Message-ID:Date:MIME-Version:Subject:To:References:From:Cc: In-Reply-To:Content-Type; b=q4dMiWEagUwsGHsNKlbdVzx+gA/V3lTcF3CPshUVImzdsSNVemGyhy4AmXLNN2WvETQAygRYlbhckhH926zu8FZFJqTOO9Bdo1P0a1LWbL+0Tn1Sn1+lEP4CyplXBBOti3pJ0aX/FD7wFbR0Oyl60s2kVd4t2MR5TJzGKpjSff0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com; spf=pass smtp.mailfrom=linux.microsoft.com; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b=hbqc1jzm; arc=none smtp.client-ip=13.77.154.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.microsoft.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.microsoft.com header.i=@linux.microsoft.com header.b="hbqc1jzm" Received: from [100.70.217.11] (unknown [172.172.34.12]) by linux.microsoft.com (Postfix) with ESMTPSA id 8BE8520BCAEA; Mon, 9 Dec 2024 06:12:27 -0800 (PST) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com 8BE8520BCAEA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1733753547; bh=jj9w2K2FtKYZJk2CjqJIqFqUx7U0kyW5OYR5rF6S/6c=; h=Date:Subject:To:References:From:Cc:In-Reply-To:From; b=hbqc1jzmGl9J6erwh6SH27YhRugtrKkgcoFI5iUoYX92/1GnGltjrAJxG1k7r5Cqu vn19tp5XUuHJ0GJ28j3311F8ZgXJXj9soK/sgKu7Wz16Nz3OYjulwGd5AYrJU19Auy Kkt5Xjgd01Z56cZVYIiWb48OHLu60QTuN0/gLXWg= Message-ID: Date: Mon, 9 Dec 2024 09:12:26 -0500 Precedence: bulk X-Mailing-List: selinux-refpolicy@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: pidfs To: Russell Coker , SELinux Reference Policy mailing list References: <1985778.PYKUYFuaPT@cupcakke> Content-Language: en-US From: Chris PeBenito Cc: Paul Moore In-Reply-To: <1985778.PYKUYFuaPT@cupcakke> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit On 12/6/2024 10:22 PM, Russell Coker wrote: > What's this new pidfs that seems to have just become visible in 6.11.10 or > similar recent kernels? > > https://lwn.net/Articles/714932/ > > The above article has some information about a previous iteration of it, > apparently not a separate mountable filesystem but a part of /proc that can be > mounted as part of a container. > > I'm seeing the following audit entries about it, what should we do in policy > about this? > > type=AVC msg=audit(1733540968.538:31305): avc: denied { getattr } for > pid=1465 comm="systemd" name="/" dev="pidfs" ino=1 > scontext=etbe:user_r:user_systemd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=0 You should expect to see pidfds extensively with systemd processes, as the main systemd interfaces now use pidfds. Right now the only option is to use a genfscon or task sid. I'd have preferred to improve the labeling behavior, but no kernel devs have had a chance to address it. See https://github.com/SELinuxProject/refpolicy/pull/762 -- Chris