SELinux policy denials on MicroOS (snapper/systemd)
Where should they be reported? Using systemd-boot/FDE image I get several non-muted failures, audit2allow results: #============= snapperd_t ============== allow snapperd_t dosfs_t:file unlink; #============= systemd_fstab_generator_t ============== allow systemd_fstab_generator_t init_t:bpf { map_read map_write }; #============= systemd_gpt_generator_t ============== allow systemd_gpt_generator_t init_t:bpf { map_read map_write }; They do not seem to cause any visible problems though. Should the be reported against each individual product? I did not try booting with dontaudit disabled, I assume dontaudit failures are benign.
On 2024-05-10 11:55, Andrei Borzenkov wrote:
Where should they be reported? Using systemd-boot/FDE image I get several non-muted failures, audit2allow results:
bugzilla.opensuse.org Tumbleweed Product Security category our security team are awesome at triaging and addressing the issues I've reported that way
#============= snapperd_t ==============
allow snapperd_t dosfs_t:file unlink;
#============= systemd_fstab_generator_t ==============
allow systemd_fstab_generator_t init_t:bpf { map_read map_write };
#============= systemd_gpt_generator_t ==============
allow systemd_gpt_generator_t init_t:bpf { map_read map_write };
They do not seem to cause any visible problems though.
Should the be reported against each individual product?
I did not try booting with dontaudit disabled, I assume dontaudit failures are benign.
-- Richard Brown Distributions Architect SUSE Software Solutions Germany GmbH, Frankenstraße 146, D-90461 Nuremberg, Germany (HRB 36809, AG Nürnberg) Managing Directors/Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich
On Fri May 10, 2024 at 11:55 AM CEST, Andrei Borzenkov wrote:
Where should they be reported? Using systemd-boot/FDE image I get several non-muted failures, audit2allow results:
https://bugzilla.suse.com/show_bug.cgi?id=1224120 I can see it as well. Matěj -- http://matej.ceplovi.cz/blog/, @mcepl@floss.social GPG Finger: 3C76 A027 CA45 AD70 98B5 BC1D 7920 5802 880B C9D8 Economics is the only discipline where two people can win a Nobel Prize for saying exactly the opposite thing! -- Eamonn Butler of Adam Smith Institute on Nobel Prize awards for year 2001
On Fri, May 10, 2024 at 12:55:49PM GMT, Andrei Borzenkov wrote:
Where should they be reported?
Reporting in BZ is the right thing to do, as already pointed out. The openSUSE wiki contains guidelines for reporting SELinux bugs, including a bug creation template: https://en.opensuse.org/openSUSE:Bugreport_SELinux -- Filippo Bonazzi Security Engineer suse.com 8257 4398 947A 2DBE F21D 76E6 937A 63F0 5B36 46D9
participants (4)
-
Andrei Borzenkov -
Filippo Bonazzi -
Matěj Cepl -
Richard Brown