Bug 81105

Summary: systemd reuses SELinux kernel AV
Product: systemd Reporter: Laurent Bigonville <bigon>
Component: generalAssignee: systemd-bugs
Status: RESOLVED NOTOURBUG QA Contact: systemd-bugs
Severity: normal    
Priority: medium CC: bigon, cpebenito, dwalsh
Version: unspecified   
Hardware: Other   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Laurent Bigonville 2014-07-09 13:38:22 UTC 
Hello,

When trying help at creating a SELinux policy for systemd I found that systemd was associating userspace permissions the "system" security class (a kernel class).

According to one of the writer of the refpolicy it is not a good idea to mix kernel and userspace permissions:

http://oss.tresys.com/pipermail/refpolicy/2014-July/007237.html

I'm not sure what should be done here, maybe a new "systemd" class should be created for this? Any idea?



Also, as a side note I didn't found any documentation about all these permissions and their usage. Did I overlooked something?
Comment 1 Laurent Bigonville 2014-08-04 15:59:52 UTC 
Hello again,

So I've talked to Christopher again on IRC and apparently he really doesn't want to mix kernel and userspace privileges in the same security class (something I can understand)

So if I guess this will requires some changes (and coordination with Fedora) to create a new security class before being able to have a systemd policy merged in the refpolicy (and then used by other distributions)
Comment 2 Lennart Poettering 2014-08-18 21:19:34 UTC 
Sorry, but my selinux-fu is too limited to grok this. For all SELinux support we kinda rely on patches from the SElinux community.
Comment 3 rhatdan 2014-08-20 14:34:25 UTC 
Laurent open a bugzilla on selinux-policy at bugzilla.redhat.com, and then we can start working on a fix there.  Once we fixed it there we can push the fix into rawhide and get a fix for systemd.
Comment 4 Laurent Bigonville 2014-08-22 11:02:15 UTC 
Done

https://bugzilla.redhat.com/show_bug.cgi?id=1132933
Comment 5 Lennart Poettering 2016-06-07 10:26:03 UTC 
Closing this, let's continue tracking this in the rhbz bug. If there's something left to fix upstream in systemd, then please file a bug in systemd github when the time comes.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.