selinux

Download

selinux@lists.opensuse.org

May 2021

3 participants
2 discussions

service file specific watches?
by Ludwig Nussel 18 May '21

18 May '21

Hi, ca-certificates, btrfsmaintenance and probably others have conditions that lead systemd to wanting to watch certain files, eg PathChanged=/etc/sysconfig/btrfsmaintenance That leads to type=AVC msg=audit(1621253570.928:27): avc: denied { watch } for pid=1 comm="systemd" path="/etc/sysconfig/btrfsmaintenance" dev="overlay" ino=15638 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:etc_t:s0 tclass=file permissive=0 That case is rather easy as "allow init_t etc_t:file watch;" would be ok to add to the systemd rules. How is this expected to work in general though? We patch the policy for systemd or ship individual policy snippets in packages? cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer HRB 36809 (AG Nürnberg)

2 2

relabel in initrd always?
by Ludwig Nussel 18 May '21

18 May '21

Hi, MicroOS uses a dracut module to relabel in initrd before jumping into the real system¹. A normal TW on the other hand uses generator to boot into an autorelabel target, relabel and reboot². Any reason why the MicroOS approach couldn't just be used also in the plain old TW case? cu Ludwig [1] https://github.com/kubic-project/microos-tools/blob/master/selinux/98selinu… [2] https://build.opensuse.org/package/show/openSUSE:Factory/selinux-autorelabel -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.com/ SUSE Software Solutions Germany GmbH, GF: Felix Imendörffer HRB 36809 (AG Nürnberg)

3 3