On Wed, Dec 11, 2019 at 02:44:23PM +0100, Dominick Grift wrote:
> It stopped too early, exposing a bug in sudo selinux_restore_tty():
>
> SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
> avc: denied { mac_admin } for pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0
>
> If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP
Unfortunately it does not quite seem to address this challenge, at least currently, but still
I think systemd would need to refresh its label cache when mcstrans is started, as per systemd v245 that should be a little less painful than it is today
Something like a: ExecStartPost=/bin/systemctl daemon-reload would do that then
>
> v2: stop late, but do stop
> Signed-off-by: Dominick Grift <dac.override@xxxxxxxxx>
> ---
> mcstrans/src/mcstrans.service | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service
> index 09529432..c13cd09a 100644
> --- a/mcstrans/src/mcstrans.service
> +++ b/mcstrans/src/mcstrans.service
> @@ -2,6 +2,9 @@
> Description=Translates SELinux MCS/MLS labels to human readable form
> Documentation=man:mcstransd(8)
> ConditionSecurity=selinux
> +DefaultDependencies=no
> +Before=shutdown.target sysinit.target
> +Conflicts=shutdown.target
>
> [Service]
> ExecStart=/sbin/mcstransd -f
> --
> 2.24.0
>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
Attachment:
signature.asc
Description: PGP signature
