Introduce systemd_cryptsetup_generator_var_run_t file type (bsc#1244459) #2780
Conversation
policy/modules/system/systemd.te
Outdated
| allow systemd_cryptsetup_generator_t systemd_cryptsetup_generator_var_run_t:file manage_file_perms; | ||
| allow systemd_cryptsetup_generator_t systemd_cryptsetup_generator_var_run_t:lnk_file manage_lnk_file_perms; | ||
|
|
||
| fs_associate_ramfs(systemd_cryptsetup_generator_var_run_t) |
There was a problem hiding this comment.
ramfs has been deprecated in favor of tmpfs in policy since commit 8e908b8
Anyway I am even more confused: tmpfs_t, but the type is ..._var_run_t, and filetrans interface is init_var_lib_filetrans()? Where is the dir actually created?
There was a problem hiding this comment.
The directory gets created in /run/systemd/, so the type should be fine
The fs_associate_ramfs call isn't necessary on my system, but the reporter has a special setup. I'll remove it, so we can get the basic change in there and then sent another PR just for the tmpfs change
There was a problem hiding this comment.
I believe init_pid_filetrans() is the right match given
2736 ## <summary>
2737 ## Create objects in /run/systemd directory
2738 ## with an automatic type transition to
2739 ## a specified private type.
2740 ## </summary>
$ ls -lZd /run/systemd
drwxr-xr-x. 26 root root system_u:object_r:init_var_run_t:s0 720 27. srp 09.34 /run/systemd
The cryptsetup dir content is not used outside this generator?
There was a problem hiding this comment.
sorry I didn't see the comment. I'll give init_pid_filetrans a try, but I can only do this after next week because my test vm needs an USB dongle attached, which I currently can't plug into the machine. Once I have access to the machine again I'll give it a go
There was a problem hiding this comment.
yes init_pid_filetrans is the better match, changed to that.
I don't know of any users of the cryptsetup dir as of now
There was a problem hiding this comment.
let me tag @zpytela to that he sees the change :)
jsegitz
force-pushed
the
systemd_cryptsetup_generator_var_run_t
branch
from
6f4413b to
aae1322
Compare
When the key material is on a USB stick this currently doesn't work
since cryptsetup will create a directory with a generic type
Solves avc: denied { associate } for pid=16385 comm="systemd-cryptse" name="cryptsetup" scontext=system_u:object_r:systemd_cryptsetup_generator_var_run_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
jsegitz
force-pushed
the
systemd_cryptsetup_generator_var_run_t
branch
from
aae1322 to
56a8bf8
Compare
2 participants
When the key material is on a USB stick this currently doesn't work since cryptsetup will create a directory with a generic type
Solves avc: denied { associate } for pid=16385 comm="systemd-cryptse" name="cryptsetup" scontext=system_u:object_r:systemd_cryptsetup_generator_var_run_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0