Miscellaneous fixes for confined users #2736
Conversation
| /run/systemd/generator -d gen_context(system_u:object_r:systemd_unit_file_t,s0) | ||
| /run/systemd/generator/.+ <<none>> | ||
| /run/user/%{USERID}/systemd/generator -d gen_context(system_u:object_r:systemd_unit_file_t,s0) | ||
| /run/user/%{USERID}/systemd/generator/.+ <<none>> |
There was a problem hiding this comment.
Why is it needed to label user units, or is it intended to have private types?
There was a problem hiding this comment.
systemctl --user can't access/manipulate them otherwise.
policy/modules/system/systemd.te
Outdated
| # User domains | ||
| allow userdomain systemd_unit_file_t:dir manage_dir_perms; | ||
| allow userdomain systemd_unit_file_t:file manage_file_perms; | ||
| allow userdomain systemd_unit_file_t:lnk_file manage_lnk_file_perms; |
There was a problem hiding this comment.
Types/attributes from other modules need to be accessed via interfaces. Anyway allowing any user type manage systemd_unit_file_t does not look good.
There was a problem hiding this comment.
~/.config/systemd/user/ is labelled as systemd_unit_file_t
so this is needed for confined users to be able to edit the files there with a text editor. So if you don't want for users to be able to edit all systemd_unit_file_ts, maybe we should add a new systemd_user_unit_file_t?
policy/modules/system/systemd.te
Outdated
| type sysadm_t; | ||
| ') | ||
|
|
||
| allow userdomain sysadm_t:unix_stream_socket { getattr getopt read setopt write }; |
There was a problem hiding this comment.
Only staff_t and admindomains are allowed to run sudo. Interface needs to be used.
There was a problem hiding this comment.
Only staff_t and admindomains are allowed to run sudo.
Right, but this is needed for the confined user session created with --machine=USER@ to be able to connect back to the systemctl command. Or should we maybe create a new label for that socket file so that we don't need to use sysadm_t?
There was a problem hiding this comment.
Ok, I tried to define new systemd_stdio_bridge_t and systemd_stdio_bridge_exec_t types, label /usr/bin/systemd-stdio-bridge as systemd_stdio_bridge_exec_t, and then let only systemd_stdio_bridge_t be allowed to read/write admindomain unix_stream_sockets, but that didn't work, because systemd runs systemd-stdio-bridge via systemd-run, and processes do not transition correctly when ran that way, so that solution is blocked by #2500 and systemd/systemd#32668.
So I've left the current functionality in, but I've changed it to use the proper interfaces now.
Right now, with confined users enabled, running `sudo networkctl status` (or any other subcommand) fails with permission errors. This commit makes it possible for a confined administrator to run `networkctl` commands.
gucci-on-fleek
force-pushed
the
misc-fixes
branch
from
990491b to
d4b48e2
Compare
|
(sorry for the long delay) I've updated the code to use interfaces for all external types, and I've addressed most of the other comments. For the comments that I haven't addressed, I've replied with a few questions because I'm not sure how to proceed. And thanks again for the review! |
2 participants
I've been running using SELinux-confined users on my Fedora IoT server for a few months now, but I've needed a few custom rules for it to work properly. This patch contains those rules.
There are quite a few (very small) changes here, so please let me know if you have any questions or want me to make any changes.
Full disclosure: I've been using a CIL version of these rules for a couple months now, and I've confirmed that the policies still build (
make all) and validate (make validate) correctly, but I haven't tested installing the.ppmodules from this patch on my server.(Vaguely related to containers/container-selinux#383)