Comments (9)
egtvedt
commented on May 18, 2024
I am stuck with the same issue, currently considering a workaround by reverting systemd commit systemd/systemd@63e2d17
I do not feel switching udevadm to udev_exec_t is the correct approach.
from refpolicy.
commented on May 18, 2024
Hans-Christian Egtvedt <[email protected]> writes:
I am stuck with the same issue, currently considering a workaround by reverting systemd commit ***@***.***
I do not feel switching udevadm to udev_exec_t is the correct approach.
Why do you think that?
You might have to move some rules over and add in/remove some compatibility rules, but essentially it should be the
same code. That is why they decided to merge it. it was just duplicate
code occupying space. You can add a typealias for compatibility.
This is (at least some of it) what i did in my personal policy to
address this consolidation:
https://git.defensec.nl/?p=dssp3.git;a=commitdiff;h=848385ed4a145ac2967ab9a7f1d0715ebe741fd1
…
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
from refpolicy.
commented on May 18, 2024
Dominick Grift <[email protected]> writes:
Hans-Christian Egtvedt ***@***.***> writes:
> I am stuck with the same issue, currently considering a workaround by reverting systemd commit ***@***.***
>
> I do not feel switching udevadm to udev_exec_t is the correct approach.
Why do you think that?
You might have to move some rules over and add in/remove some compatibility rules, but essentially it should be the
same code. That is why they decided to merge it. it was just duplicate
code occupying space. You can add a typealias for compatibility.
This is (at least some of it) what i did in my personal policy to
address this consolidation:
https://git.defensec.nl/?p=dssp3.git;a=commitdiff;h=848385ed4a145ac2967ab9a7f1d0715ebe741fd1
and this:
https://git.defensec.nl/?p=dssp3.git;a=commitdiff;h=533ffc74b2898183c9143f7faf16d86261906d7a
…>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub, or unsubscribe.
>
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
from refpolicy.
pebenito
commented on May 18, 2024
To me, it seems that we should change udevadm to udev_exec_t and then change the old udevadm transitions to be over udev_exec_t assuming there isn't a type transition conflict.
from refpolicy.
egtvedt
commented on May 18, 2024
Hans-Christian Egtvedt [email protected] writes:
I am stuck with the same issue, currently considering a workaround by reverting systemd commit @.*** I do not feel switching udevadm to udev_exec_t is the correct approach.
Why do you think that? You might have to move some rules over and add in/remove some compatibility rules, but essentially it should be the same code. That is why they decided to merge it. it was just duplicate code occupying space. You can add a typealias for compatibility. This is (at least some of it) what i did in my personal policy to address this consolidation: https://git.defensec.nl/?p=dssp3.git;a=commitdiff;h=848385ed4a145ac2967ab9a7f1d0715ebe741fd1
…
— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.
-- gpg --locate-keys [email protected] Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift
Ack, I was mostly concerned about two quite different programs now being merged into one type, but I guess they will have the same needs with regards to access for things to work.
from refpolicy.
egtvedt
commented on May 18, 2024
I tuned my local policy file context to do
/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t)
And I also had to add the following policy
allow udev_t var_run_t:file { getattr open read };
And AFAICT things work as they should again, I see no violations and run in enforcing mode.
The need for udev_t to access var_run_t:file types are due to my embedded target being a bit exotic, I think that can be ignored.
from refpolicy.
minimaxwell
commented on May 18, 2024
I tuned my local policy file context to do
/usr/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t)And I also had to add the following policy
allow udev_t var_run_t:file { getattr open read };And AFAICT things work as they should again, I see no violations and run in enforcing mode.
The need for udev_t to access var_run_t:file types are due to my embedded target being a bit exotic, I think that can be ignored.
I've been testing that fix locally for a while now, and it also fixes the issue. Should we send that fix as a PR ?
Thanks,
Maxime
from refpolicy.
pebenito
commented on May 18, 2024
There is also a patch on the mail list that is aimed a resolving this, but it doesn't have the var_run_t rule. That sounds like a mislabeled file.
from refpolicy.
DemiMarie
commented on May 18, 2024
Another approach is to use SELinuxContext= in systemd-udevd.service.
from refpolicy.
Related Issues (20)
- Fail to build with POLICY_TYPE MLS HOT 1
- Fail to build policy fapolicyd if DIRECT_INITRC=y HOT 3
- Q:java based application HOT 5
- Problem when building policy HOT 3
- libsepol.validate_user_datum: Invalid user datum HOT 4
- How to write modules for systemd user services? HOT 7
- libsepol.sepol_string_to_security_class: unrecognized class user_namespace HOT 4
- chrome->nacl_helper: user_namespace HOT 2
- 2 questions HOT 1
- Need help with transitions HOT 1
- Container issues in enforcing mode on Debian 12 HOT 13
- How to transfer the current process or its thread to another context? HOT 4
- Possible missing rule for ssh -> java HOT 2
- Debian 12.1 statd and mountd fail to start with fixed ports HOT 13
- Question: sudo HOT 5
- [Q] Permission cmd in class io_uring not defined in policy. HOT 3
- /root directory has no label specified HOT 4
- systemd v255 executor helper
- Information Disclosure vulnerability related to SSL Private Keys and CSR used by the HTTP daemon HOT 2
- Privileged container spc_t optional HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from refpolicy.