On 12/12/19 9:24 AM, Dominick Grift wrote:
On Thu, Dec 12, 2019 at 08:45:29AM -0500, Stephen Smalley wrote:
On 12/11/19 9:21 AM, Dominick Grift wrote:
On Wed, Dec 11, 2019 at 02:44:23PM +0100, Dominick Grift wrote:
It stopped too early, exposing a bug in sudo selinux_restore_tty():
SELINUX_ERR op=setxattr invalid_context="wheel.id:wheel.role:users.terminals.pty.pty_file:SystemLow"
avc: denied { mac_admin } for pid=859 comm="sudo" capability=33 scontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tcontext=wheel.id:wheel.role:sudo.wheel.subj:s0 tclass=capability2 permissive=0
If we want to be able to reference human readable contexts in SELinuxContext= and nspawn -Z and -L then we need mcstrans ASAP
Unfortunately it does not quite seem to address this challenge, at least currently, but still
I think systemd would need to refresh its label cache when mcstrans is started, as per systemd v245 that should be a little less painful than it is today
Something like a: ExecStartPost=/bin/systemctl daemon-reload would do that then
I'm a little unclear on where the bug lies - you show a sudo denial, but
refer to systemd as the culprit?
The sudo bug is fixed here: https://github.com/sudo-project/sudo/commit/718e6997fcaae6ea065ce74d08dd4aae5917df5e
If we don't care about being able to use translated contexts in systemd unit
files or options, it could always use the _raw interfaces to ensure that it
is always dealing with the raw kernel contexts. The translated contexts are
mostly for display purposes for MLS labels/policies.
The thing with systemd is that since systemd runs before mcstrans is started it doesnt use mcstrans.
So if you try to reference translated contexts using systemd then it will refuse.
Running a systemctl daemon-reexec after mcstrans is started fixes that issue but that is not really an option.
I am wondering what causes this behavior, i suppose this is some libselinux thing.
Yes, libselinux checks for the existence of the mcstrans socket exactly
once on the first attempted translation, and if it does not exist at
that time, it never tries again. That is to avoid overhead on systems
that are not running mcstrans, which is the majority of systems.
mcstrans is only really needed for MLS policies and those are a minority
of SELinux systems.
Regardless of all the above though, i think it makes sense for mcstrans to start early and stop late.
Perhaps; I'll defer to the distro maintainers on that. I don't really
recommend using mcstrans unless you truly need it.
v2: stop late, but do stop
Signed-off-by: Dominick Grift <dac.override@xxxxxxxxx>
---
mcstrans/src/mcstrans.service | 3 +++
1 file changed, 3 insertions(+)
diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service
index 09529432..c13cd09a 100644
--- a/mcstrans/src/mcstrans.service
+++ b/mcstrans/src/mcstrans.service
@@ -2,6 +2,9 @@
Description=Translates SELinux MCS/MLS labels to human readable form
Documentation=man:mcstransd(8)
ConditionSecurity=selinux
+DefaultDependencies=no
+Before=shutdown.target sysinit.target
+Conflicts=shutdown.target
[Service]
ExecStart=/sbin/mcstransd -f
--
2.24.0
