On 1/15/19 2:47 AM, Russell Coker wrote:
On Sunday, 13 January 2019 6:28:35 AM AEDT Chris PeBenito wrote:
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -337,6 +337,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
+optional_policy(`
+ unconfined_dbus_send(systemd_hostnamed_t)
+')
This comment:
https://github.com/SELinuxProject/refpolicy/issues/18#issuecomment-452316615
makes me rethink all dbus sends to unconfined domains, especially
unconfined_t. This here isn't all confined domains, but I want more
consideration for the perm.
That comment is about allowing all domains to send to unconfined_t. Allowing
specific domains like systemd_hostnamed_t to send to unconfined_t doesn't seem
like a problem. It doesn't seem likely that an attack via dbus would start
with a systemd domain, especially not one like systemd_hostnamed_t.
It's applicable to confined domains sending messages to unconfined
domains. What compounds my concern is that there is no similar access
for confined users, so where is this coming from? (what's happening?)
--
Chris PeBenito
