[refpolicy] systemd policy

Dominick Grift dominick.grift at gmail.com
Tue Jan 14 06:24:24 EST 2014


On Mon, 2014-01-13 at 15:16 -0500, Daniel J Walsh wrote:
> On 01/13/2014 02:02 PM, Dominick Grift wrote:
> > On Mon, 2014-01-13 at 10:10 -0500, Daniel J Walsh wrote:
> > 
> >> I rely on Dominick and Miroslav to get Fedora changes/fixes upstream.
> >> 
> >> Could you guys take care of getting systemd policy upstream.
> >> 
> > 
> > We rely on Chris
> > 
> > I recently submitted a small patch just to get the ball rolling but it did
> > not get any reply.
> > 
> > Other than that, Fedora is also to blame to an extent.
> > 
> > It would help if Fedora also considers things, also for its own benefit.
> > 
> > For example:
> > 
> > Fedora recently remove the init_run_daemon(unconfined_t) from her policy,
> > while i submitted a solution here on this list that i believe is 
> > sustainable but it was ignore without any comments.
> > 
> > I know Fedora does not have to , or wants to support other init systems but
> > reference policy does not have that luxury. By going your own way, i 
> > believe you're shutting the door to alternative init systems in Fedora and
> > you decrease chances of getting stuff up streamed.
> > 
> > Now with every commit Fedora does i have to worry about this because i know
> > Fedora seems to not care about other scenarios
> > 
> > And then there is the issue that i am taking a bit of distance from the 
> > community. I have to focus on other things unfortunately, but ces't la vie
> > 
> > _______________________________________________
> >> refpolicy mailing list refpolicy at oss.tresys.com 
> >> http://oss.tresys.com/mailman/listinfo/refpolicy
> > 
> > 
> Well I would not say we don't care about other init systems, since we still
> need to support systemV init scripts.  I removed init_run_daemon(unconfined_t)
> because it was causing us problems with "Daemons" attempting to run as
> unconfined_u:system_r:unconfined_t:s0.  We are attempting to tighten security
> on confined domains being able to transition to unconfined domains.  Currently
> we allow unconfined domains to be entered by all file types.  We wanted to
> remove this since a confined domain that transitions to an unconfined domain.
> samba_t -> samba_unconfined_exec_t -> samba_unconfined_t, was only intended to
> happen on scripts labeled samba_unconfined_exec_t.  But we were not blocking
> the entrypoint, so potentially if samba was allowed to do
> setexeccon(samba_unconfined_t) it could execute any script to get to it.
> 
> After we turned off the entrypoint ability for all confined domains, then we
> saw this problem with unconfined_t.
> 
> My understanding of the auto transitions for initscripts was supposed to be
> 
> unconfined_r:unconfined_t @ *initrc_t -> system_r:initrc_t @httpd_exec_t ->
> system_r:httpd_t.
> 
> The interface we removed was causing
> 
> unconfined_r:unconfined_t @ httpd_exec_t -> system_r:unconfined_t and
> generating an entrypoint error.
> 
> I don't see why we want unconfined_r role changing to system_r just because it
> executed a daemon domain.
> 
> 

Let me try this another way:

Your solution "solves" the issue only for unconfined_t.

My solution: 1. fixes a broken interface, 2. "solves" the issue for
sysadm_t as well as for unconfined_t. 3. Does not break direct_initrc
(or at least should work with my other patches titled "make
direct_initrc apply to unconfined_t", if they are applied fully)




More information about the refpolicy mailing list