On 9/23/25 17:56, Luca Boccassi wrote: > On Tue, 23 Sept 2025 at 22:45, Ian Pilcher <[email protected]> wrote: >> This was discussed in this issue[1], but the issue was closed without >> any real resolution. (Giving a confined service access to everything >> labeled var_run_t is most definitely not acceptable.) > > Sorry, but this is a self-imposed restriction that doesn't need to be > in place. You can absolutely change the policy to allow that access. > If you want to sandbox a service, you can use the appropriate > sandboxing properties, like TemporaryFilesystem=/run/ and then only > BindPaths= the individual things you want it to access. > > If you don't want to change the policy to allow a service to access > creds then yeah there's not much to do, but there's no reason not to.
One class of vulnerabilities SELinux protects from is path traversal bugs in privileged services. Those can allow the service to access any *path* on the filesystem, but SELinux doesn't care about paths. It cares about inode labels, and those will block the access. Does systemd guarantee that the credentials are not exposed *via any path on the filesystem* to anything but the service that should have access to them? -- Sincerely, Demi Marie Obenour (she/her/hers)
OpenPGP_0xB288B55FFF9C22C1.asc
Description: OpenPGP public key
OpenPGP_signature.asc
Description: OpenPGP digital signature
