Bug 81105 - systemd reuses SELinux kernel AV
Summary: systemd reuses SELinux kernel AV
Status: RESOLVED NOTOURBUG
Alias: None
Product: systemd
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: Other All
: medium normal
Assignee: systemd-bugs
QA Contact: systemd-bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-07-09 13:38 UTC by Laurent Bigonville
Modified: 2016-06-07 10:26 UTC (History)
3 users (show)

See Also:
i915 platform:
i915 features:


Attachments

Description Laurent Bigonville 2014-07-09 13:38:22 UTC
Hello,

When trying help at creating a SELinux policy for systemd I found that systemd was associating userspace permissions the "system" security class (a kernel class).

According to one of the writer of the refpolicy it is not a good idea to mix kernel and userspace permissions:

http://oss.tresys.com/pipermail/refpolicy/2014-July/007237.html

I'm not sure what should be done here, maybe a new "systemd" class should be created for this? Any idea?



Also, as a side note I didn't found any documentation about all these permissions and their usage. Did I overlooked something?
Comment 1 Laurent Bigonville 2014-08-04 15:59:52 UTC
Hello again,

So I've talked to Christopher again on IRC and apparently he really doesn't want to mix kernel and userspace privileges in the same security class (something I can understand)

So if I guess this will requires some changes (and coordination with Fedora) to create a new security class before being able to have a systemd policy merged in the refpolicy (and then used by other distributions)
Comment 2 Lennart Poettering 2014-08-18 21:19:34 UTC
Sorry, but my selinux-fu is too limited to grok this. For all SELinux support we kinda rely on patches from the SElinux community.
Comment 3 rhatdan 2014-08-20 14:34:25 UTC
Laurent open a bugzilla on selinux-policy at bugzilla.redhat.com, and then we can start working on a fix there.  Once we fixed it there we can push the fix into rawhide and get a fix for systemd.
Comment 4 Laurent Bigonville 2014-08-22 11:02:15 UTC
Done

https://bugzilla.redhat.com/show_bug.cgi?id=1132933
Comment 5 Lennart Poettering 2016-06-07 10:26:03 UTC
Closing this, let's continue tracking this in the rhbz bug. If there's something left to fix upstream in systemd, then please file a bug in systemd github when the time comes.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.