RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-31 07:46:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
9de480292c
selinux-refpolicy/policy/modules
History
Nicolas Iooss 9de480292c
systemd: allow sd-executor to manage its memfd files 
When systemd --user runs helper programs in order to generate user
environment variables, it reads memfd temporary files, which are labeled
tmpfs_t:

    type=AVC msg=audit(1569787627.183:487): avc:  denied  { getattr }
    for  pid=19182 comm="(sd-executor)"
    path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429
    dev="tmpfs" ino=50062 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=sysadm_u:object_r:tmpfs_t tclass=file permissive=1

    type=SYSCALL msg=audit(1569787627.183:487): arch=c000003e syscall=5
    success=yes exit=0 a0=a a1=7ffd324679d0 a2=7ffd324679d0 a3=4 items=0
    ppid=19180 pid=19182 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000
    fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none) ses=28
    comm="(sd-executor)" exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)

    type=PROCTITLE msg=audit(1569787627.183:487): proctitle="(sd-executor)"

    type=AVC msg=audit(1569787627.183:488): avc:  denied  { read } for
    pid=19182 comm="(sd-executor)"
    path=2F6D656D66643A33302D73797374656D642D656E7669726F6E6D656E742D642D67656E657261746F72202864656C6574656429
    dev="tmpfs" ino=50062 scontext=sysadm_u:sysadm_r:sysadm_systemd_t
    tcontext=sysadm_u:object_r:tmpfs_t tclass=file permissive=1

    type=SYSCALL msg=audit(1569787627.183:488): arch=c000003e syscall=0
    success=yes exit=0 a0=a a1=559bf537abb0 a2=1000 a3=559bf5376010
    items=0 ppid=19180 pid=19182 auid=1000 uid=1000 gid=1000 euid=1000
    suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=(none)
    ses=28 comm="(sd-executor)" exe="/usr/lib/systemd/systemd"
    subj=sysadm_u:sysadm_r:sysadm_systemd_t key=(null)

    type=PROCTITLE msg=audit(1569787627.183:488): proctitle="(sd-executor)"

The hexadecimal path is "/memfd:30-systemd-environment-d-generator
(deleted)".

The name "(sd-executor)" is the name of a child process (cf.
https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L222)
and the name of the memfd file comes from "open_serialization_fd(name)"
in
https://github.com/systemd/systemd/blob/v243/src/shared/exec-util.c#L213.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2020-04-19 08:43:26 +02:00
..
admin various: Module version bump. 2020-03-19 14:07:12 -04:00
apps mozilla, mailman, init, modutils: Module version bump. 2020-04-14 14:16:49 -04:00
kernel corecommands, init, lvm, systemd: Module version bump. 2020-04-01 13:15:28 -04:00
roles corenetwork, sysadm, sysnetwork: Module version bump. 2020-03-08 15:52:56 -04:00
services dbus, dpm2: Module version bump. 2020-04-16 16:27:55 -04:00
system systemd: allow sd-executor to manage its memfd files 2020-04-19 08:43:26 +02:00