Russell Coker <russell@xxxxxxxxxxxx> writes:
> allow sysadm_t systemd_machined_t:dbus send_msg;
> systemd_manage_userdb_runtime_dirs(systemd_machined_t)
> systemd_manage_userdb_runtime_sock_files(systemd_machined_t)
> term_use_ptmx(systemd_machined_t)
> dev_getattr_fs(systemd_machined_t)
> term_getattr_pty_fs(systemd_machined_t)
>
> To enable "machinectl shell" on recent versions of systemd we need something
> like the above policy (which is not complete or ideal, still doesn't work so
> no point polishing it) and something for the below. What is the below about?
this should be thoroughly addressed. machined creates a login pty that
gets relabeled on login as per type_change rules.
>
> type=USER_AVC msg=audit(1608759091.934:1799): pid=324 uid=108 auid=4294967295
> ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
> denied { 0x2 } for msgtype=error
> error_name=org.freedesktop.DBus.Error.FileNotFound dest=:1.18 spid=2642
> tpid=2706 scontext=system_u:system_r:systemd_machined_t:s0
> tcontext=bofh:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=(null) permissive=0
> exe="/usr/bin/dbus-daemon" sauid=108 hostname=? addr=?
> terminal=?'UID="messagebus" AUID="unset" SAUID="messagebus"
Yes i noticed the above as well on debian with dbus-daemon, i dont see
any of these on fedora with dbus-broker
By the way we probably shouldnt use the same dbus policy for both
dbus-daemon and dbus-broker because theyre pretty different.
* dbus-broker does not check method returns (dbus-daemon does)
* dbus-broker is systemd specific (dbus activation works via systemd)
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
