On Di, 23.09.25 15:44, Ian Pilcher ([email protected]) wrote: > I recently discovered systemd credentials, and I was excited to start > using them to pass private keys (for TLS certificates) into my stunnel > service. > > LoadCredential=ampersand.key:/etc/pki/tls/private/stunnel/ampersand.key > LoadCredential=switch1.key:/etc/pki/tls/private/stunnel/switch1.key > LoadCredential=switch2.key:/etc/pki/tls/private/stunnel/switch2.key > LoadCredential=switch4.key:/etc/pki/tls/private/stunnel/switch4.key > ExecStartPre=/usr/bin/mkdir -m 0700 /tmp/keys > ExecStartPre=/usr/bin/ln -s %d/ampersand.key %d/switch1.key %d/switch2.key > %d/switch4.key /tmp/keys/ > > (The symlinks under /tmp/keys are needed, because stunnel doesn't > support any form of variable expansion in its configuration file.)
Uff, the /tmp/keys thing is an instant DoS, I hope you realize that? That's not how security is done these days (or in fact has been done for the last decade or two). > Unfortunately, I quickly discovered that this doesn't work, because the > SELinux context of the keys is lost when they are copied into the > /run/credentials directory. Yeah, the selinux policy can set new labels if it wants for that. Note that the creds are not necessarily just copied, they are also decrypted+authenticated. Moreover they are chowned/acled to the service user. Or in other words, while they are generated from the source files they really are their own thing – with their own ownership/access mode/security identity – once they show up in $CREDENIAL_DIRECTORY. Hence copying over the label is not an obvious thing to do I'd say, because you might possibly give access to security sensitive material (i.e. the plaintext creds) to a label that shouldn't have that (i.e. a label intended for the encrypted creds only, which are something that need little protection). > However, it isn't clear what benefit systemd credentials are providing > at this point. Without them, I can simply copy the files directly from > their original location, which is arguably simpler. Sure, if the uniformity of the credentials logic, the encryption/authentication/TPM2 stuff, the inheritance down the system tree, the immutability, the backing by unswappable memory, the mount namespacing and so on doesn't matter to you, and all the other stuff, then sure, you can just copy the files yourself too. But that's like saying "who needs ssh, telnet works too". And to some degree you'd even be right. Hence, knock yourself out, but I think then you and I are operating with quite a different understanding of what security engineering means. > ExecStartPre=/usr/bin/mkdir -m 0700 --context=system_u:object_r:cert_t:s0 > /tmp/keys > ExecStartPre=/usr/bin/cp \ > /etc/pki/tls/private/stunnel/ampersand.key \ > /etc/pki/tls/private/stunnel/switch1.key \ > /etc/pki/tls/private/stunnel/switch2.key \ > /etc/pki/tls/private/stunnel/switch4.key \ > /tmp/keys/ > > So the question is ... Am I missing something (or are systemd > credentials simply not useful on systems running SELinux)? So far there's an explicit relabel call when we create the dir that we place the creds in; your selinux policy/database can hook into that to label the creds according to your needs. We could also relabel the cred files individually when we create them, but that'd require a patch. At this point selinux stuff really requires community patches to work nicely, because none of the systemd upstream developers use it (at least to my knowledge). (I am also not strictly opposed to just copying the label over, but that'd require a patch to be submitted, and someone from the selinux upstream folks needs to OK that, but that might be hard to get) Lennart -- Lennart Poettering, Berlin
