On 6/12/20 9:02 AM, Russell Coker wrote:
On Friday, 12 June 2020 10:52:56 PM AEST Chris PeBenito wrote:
In recent policy we have 6 different domains for systemd-generators. What
benefit are we expecting to get from this? Are we anticipating that one
generator will attack another? How would having separate domains for
generators do any good when there's no restriction on the contents of the
files they generate and nothing to prevent one generator from creating a
file of the name that another generator is expected to create? Is it
even reasonable to expect that a program that can create a systemd unit
file with arbitrary content (IE being able to start any daemon with
arbitrary configuration and command-line parameters) would be unable to
exploit that for unrestricted root access?
I find this a valid criticism and reason enough to at least collapse them
into a single domain. The original intent was to constrain the special
access they use, but you are correct, a compromised generator could do
mostly do all the bad things anyway since it can write unit files.
OK, I'll submit a patch for that.
There were a few pending PRs that were put on hold or dropped for this change of
direction, so I've posted the change:
https://github.com/SELinuxProject/refpolicy/pull/276
--
Chris PeBenito
