Bug#775651: systemd: /run/user/$UID directories are created with type tmpfs_t on SE Linux

[Laurent Bigonville]

On Sat, 30 Jan 2016 16:56:43 +0100 Michael Biebl  wrote:
> On Mon, 19 Jan 2015 10:05:55 +0100 Michael Biebl  
wrote:

> > Am 19.01.2015 um 03:20 schrieb Russell Coker:
> > > On Mon, 19 Jan 2015, Michael Biebl  wrote:
> > >> unfortunately I don't have any selinux knowledge at all, so I 
don't have

> > >> the slightest idea how this (or your earlier bug #775613) should be
> > >> addressed.
> > >>
> > >> Help is most welcome.
> > >
> > > Would you like me to give you root access on a virtual machine that
> > > demonstrates the bugs in question?
> >
> > Thanks for the kind offer. I'm not sure if it would help, since, as
> > said, I don't know anything about selinux. At least not enough to
> > examine and understand the issue.
>
> So, where do we stand on this. Is this actually something which needs to
> be addressed in the systemd package or is this an issue of the selinux
> policy package shipped in Debian and should be reassigned accordingly?
>
> Russel, Laurent, would very much appreciate your help with this bug 
report.


After some discussion on #selinux@freenode and some testing, it seems 
that there is still an issue here.


Somebody on the channel made a patch, I hope it will be upstreamed.

Cheers,

Laurent Bigonville

Bug#775651: systemd: /run/user/$UID directories are created with type tmpfs_t on SE Linux

[Michael Biebl]

Am 02.02.2016 um 18:21 schrieb Laurent Bigonville:
> After some discussion on #selinux@freenode and some testing, it seems
> that there is still an issue here.
> 
> Somebody on the channel made a patch, I hope it will be upstreamed.

A patch for systemd? Is this tracked somewhere?

-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#775651: systemd: /run/user/$UID directories are created with type tmpfs_t on SE Linux

[Michael Biebl]

On Mon, 19 Jan 2015 10:05:55 +0100 Michael Biebl  wrote:
> Am 19.01.2015 um 03:20 schrieb Russell Coker:
> > On Mon, 19 Jan 2015, Michael Biebl  wrote:
> >> unfortunately I don't have any selinux knowledge at all, so I don't have
> >> the slightest idea how this (or your earlier bug #775613) should be
> >> addressed.
> >>
> >> Help is most welcome.
> > 
> > Would you like me to give you root access on a virtual machine that 
> > demonstrates the bugs in question?
> 
> Thanks for the kind offer. I'm not sure if it would help, since, as
> said, I don't know anything about selinux. At least not enough to
> examine and understand the issue.

So, where do we stand on this. Is this actually something which needs to
be addressed in the systemd package or is this an issue of the selinux
policy package shipped in Debian and should be reassigned accordingly?

Russel, Laurent, would very much appreciate your help with this bug report.

Michael


-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#775651: systemd: /run/user/$UID directories are created with type tmpfs_t on SE Linux

[Michael Biebl]

Am 19.01.2015 um 03:20 schrieb Russell Coker:
 On Mon, 19 Jan 2015, Michael Biebl bi...@debian.org wrote:
 unfortunately I don't have any selinux knowledge at all, so I don't have
 the slightest idea how this (or your earlier bug #775613) should be
 addressed.

 Help is most welcome.
 
 Would you like me to give you root access on a virtual machine that 
 demonstrates the bugs in question?

Thanks for the kind offer. I'm not sure if it would help, since, as
said, I don't know anything about selinux. At least not enough to
examine and understand the issue.



-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#775651: systemd: /run/user/$UID directories are created with type tmpfs_t on SE Linux

[Russell Coker]

On Mon, 19 Jan 2015, Michael Biebl bi...@debian.org wrote:
 unfortunately I don't have any selinux knowledge at all, so I don't have
 the slightest idea how this (or your earlier bug #775613) should be
 addressed.
 
 Help is most welcome.

Would you like me to give you root access on a virtual machine that 
demonstrates the bugs in question?

-- 
My Main Blog http://etbe.coker.com.au/
My Documents Bloghttp://doc.coker.com.au/


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#775651: systemd: /run/user/$UID directories are created with type tmpfs_t on SE Linux

[Michael Biebl]

control: tags -1 moreinfo help
control: tags 775613 moreinfo help

Am 18.01.2015 um 08:06 schrieb Russell Coker:
 # grep auditallow local.te
 auditallow domain tmpfs_t:dir create;
 # grep granted /var/log/audit/audit.log
 type=AVC msg=audit(1421563773.398:239): avc:  granted  { create } for  
 pid=4302 comm=systemd name=systemd scontext=system_u:system_r:init_t:s0 
 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
 type=AVC msg=audit(1421563773.398:240): avc:  granted  { create } for  
 pid=4302 comm=systemd name=generator scontext=system_u:system_r:init_t:s0 
 tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
 type=AVC msg=audit(1421563773.398:241): avc:  granted  { create } for  
 pid=4302 comm=systemd name=generator.early 
 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
 tclass=dir
 type=AVC msg=audit(1421563773.398:242): avc:  granted  { create } for  
 pid=4302 comm=systemd name=generator.late 
 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 
 tclass=dir
 # ls -laZ /run/user
 total 0
 drwxr-xr-x.  4 root root system_u:object_r:var_auth_t:SystemLow   80 Jan 18 
 17:58 .
 drwxr-xr-x. 26 root root system_u:object_r:var_run_t:SystemLow  1080 Jan 18 
 17:58 ..
 drwx--.  3 root root system_u:object_r:var_auth_t:SystemLow   60 Jan 18 
 17:34 0
 drwx--.  3 rjc  rjc  system_u:object_r:tmpfs_t:SystemLow  60 Jan 18 
 17:58 1001
 
 I have an auditallow rule to audit creation of tmpfs_t directories.  As you 
 can
 see systemd creates such directories when I login. The directory 0 has the
 correct context because I ran restorecon but the directory 1001 has the
 wrong context because I just logged in as that user.
 
 There are no auto trans rules to give it the type tmpfs_t and the 
 file_contexts
 also specify var_auth_t.  I think that systemd is requesting tmpfs_t as the
 type.

Hi Russel,

unfortunately I don't have any selinux knowledge at all, so I don't have
the slightest idea how this (or your earlier bug #775613) should be
addressed.

Help is most welcome.

Michael



-- 
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?



signature.asc
Description: OpenPGP digital signature

Bug#775651: systemd: /run/user/$UID directories are created with type tmpfs_t on SE Linux

[Russell Coker]

Package: systemd
Version: 215-9
Severity: normal

# grep auditallow local.te
auditallow domain tmpfs_t:dir create;
# grep granted /var/log/audit/audit.log
type=AVC msg=audit(1421563773.398:239): avc:  granted  { create } for  pid=4302 
comm=systemd name=systemd scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421563773.398:240): avc:  granted  { create } for  pid=4302 
comm=systemd name=generator scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421563773.398:241): avc:  granted  { create } for  pid=4302 
comm=systemd name=generator.early scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
type=AVC msg=audit(1421563773.398:242): avc:  granted  { create } for  pid=4302 
comm=systemd name=generator.late scontext=system_u:system_r:init_t:s0 
tcontext=system_u:object_r:tmpfs_t:s0 tclass=dir
# ls -laZ /run/user
total 0
drwxr-xr-x.  4 root root system_u:object_r:var_auth_t:SystemLow   80 Jan 18 
17:58 .
drwxr-xr-x. 26 root root system_u:object_r:var_run_t:SystemLow  1080 Jan 18 
17:58 ..
drwx--.  3 root root system_u:object_r:var_auth_t:SystemLow   60 Jan 18 
17:34 0
drwx--.  3 rjc  rjc  system_u:object_r:tmpfs_t:SystemLow  60 Jan 18 
17:58 1001

I have an auditallow rule to audit creation of tmpfs_t directories.  As you can
see systemd creates such directories when I login. The directory 0 has the
correct context because I ran restorecon but the directory 1001 has the
wrong context because I just logged in as that user.

There are no auto trans rules to give it the type tmpfs_t and the file_contexts
also specify var_auth_t.  I think that systemd is requesting tmpfs_t as the
type.

-- Package-specific info:

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  acl 2.2.52-2
ii  adduser 3.113+nmu3
ii  initscripts 2.88dsf-58
ii  libacl1 2.2.52-2
ii  libaudit1   1:2.4-1+b1
ii  libblkid1   2.25.2-4
ii  libc6   2.19-13
ii  libcap2 1:2.24-6
ii  libcap2-bin 1:2.24-6
ii  libcryptsetup4  2:1.6.6-4
ii  libgcrypt20 1.6.2-4+b1
ii  libkmod218-3
ii  liblzma55.1.1alpha+20120614-2+b3
ii  libpam0g1.1.8-3.1
ii  libselinux1 2.3-2
ii  libsystemd0 215-9
ii  mount   2.25.2-4
ii  sysv-rc 2.88dsf-58
ii  udev215-9
ii  util-linux  2.25.2-4

Versions of packages systemd recommends:
ii  dbus1.8.14-1
ii  libpam-systemd  215-9

Versions of packages systemd suggests:
pn  systemd-ui  none

-- Configuration Files:
/etc/systemd/journald.conf changed:
[Journal]
SystemMaxUse=25M


-- no debconf information


-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org