Hello, When trying help at creating a SELinux policy for systemd I found that systemd was associating userspace permissions the "system" security class (a kernel class). According to one of the writer of the refpolicy it is not a good idea to mix kernel and userspace permissions: http://oss.tresys.com/pipermail/refpolicy/2014-July/007237.html I'm not sure what should be done here, maybe a new "systemd" class should be created for this? Any idea? Also, as a side note I didn't found any documentation about all these permissions and their usage. Did I overlooked something?
Hello again, So I've talked to Christopher again on IRC and apparently he really doesn't want to mix kernel and userspace privileges in the same security class (something I can understand) So if I guess this will requires some changes (and coordination with Fedora) to create a new security class before being able to have a systemd policy merged in the refpolicy (and then used by other distributions)
Sorry, but my selinux-fu is too limited to grok this. For all SELinux support we kinda rely on patches from the SElinux community.
Laurent open a bugzilla on selinux-policy at bugzilla.redhat.com, and then we can start working on a fix there. Once we fixed it there we can push the fix into rawhide and get a fix for systemd.
Done https://bugzilla.redhat.com/show_bug.cgi?id=1132933
Closing this, let's continue tracking this in the rhbz bug. If there's something left to fix upstream in systemd, then please file a bug in systemd github when the time comes.
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.