Introduce systemd_cryptsetup_generator_var_run_t file type (bsc#1244459) #2780
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
zpytela
reviewed
Jul 18, 2025
policy/modules/system/systemd.te
Outdated
| allow systemd_cryptsetup_generator_t systemd_cryptsetup_generator_var_run_t:file manage_file_perms; | ||
| allow systemd_cryptsetup_generator_t systemd_cryptsetup_generator_var_run_t:lnk_file manage_lnk_file_perms; | ||
|
|
||
| fs_associate_ramfs(systemd_cryptsetup_generator_var_run_t) |
There was a problem hiding this comment.
ramfs has been deprecated in favor of tmpfs in policy since commit 8e908b8
Anyway I am even more confused: tmpfs_t, but the type is ..._var_run_t, and filetrans interface is init_var_lib_filetrans()? Where is the dir actually created?
There was a problem hiding this comment.
The directory gets created in /run/systemd/, so the type should be fine
The fs_associate_ramfs call isn't necessary on my system, but the reporter has a special setup. I'll remove it, so we can get the basic change in there and then sent another PR just for the tmpfs change
There was a problem hiding this comment.
I believe init_pid_filetrans() is the right match given
2736 ## <summary>
2737 ## Create objects in /run/systemd directory
2738 ## with an automatic type transition to
2739 ## a specified private type.
2740 ## </summary>
$ ls -lZd /run/systemd
drwxr-xr-x. 26 root root system_u:object_r:init_var_run_t:s0 720 27. srp 09.34 /run/systemd
The cryptsetup dir content is not used outside this generator?
When the key material is on a USB stick this currently doesn't work
since cryptsetup will create a directory with a generic type
Solves avc: denied { associate } for pid=16385 comm="systemd-cryptse" name="cryptsetup" scontext=system_u:object_r:systemd_cryptsetup_generator_var_run_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0
jsegitz
force-pushed
the
systemd_cryptsetup_generator_var_run_t
branch
from
6f4413b to
aae1322
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
When the key material is on a USB stick this currently doesn't work since cryptsetup will create a directory with a generic type
Solves avc: denied { associate } for pid=16385 comm="systemd-cryptse" name="cryptsetup" scontext=system_u:object_r:systemd_cryptsetup_generator_var_run_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=filesystem permissive=0