On Mon, Mar 20, 2023 at 2:19 PM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
>
> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
>
> > On Mon, Mar 20, 2023 at 1:53 PM Stephen Smalley
> > <stephen.smalley.work@xxxxxxxxx> wrote:
> >>
> >> On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
> >> <stephen.smalley.work@xxxxxxxxx> wrote:
> >> > Hmm...that's interesting. I just tried in Fedora using one of the
> >> > type_transitions already defined in the default policy and although it
> >> > appears to use the type_transition to compute the new SID for the
> >> > create check, ls -Z of the file after creation showed it labeled
> >> > cgroup_t instead. So it doesn't appear to be working or I am doing it
> >> > wrong.
> >>
> >> Reproducer, on F34,
> >> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
> >> mkdir: cannot create directory
> >> ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
> >> $ sudo ausearch -m AVC -ts recent -i
> >> ----
> >> type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc: denied {
> >> associate } for pid=152325 comm=mkdir name=.snapshots
> >> scontext=unconfined_u:object_r:snapperd_data_t:s0
> >> tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
> >> $ seinfo --fs_use | grep cgroup
> >> $ seinfo --genfscon | grep cgroup
> >> genfscon cgroup / system_u:object_r:cgroup_t:s0
> >> genfscon cgroup2 / system_u:object_r:cgroup_t:s0
> >> $ sesearch -T -s unconfined_t -t cgroup_t -c dir
> >> type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
> >> $ sudo setenforce 0
> >> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
> >> $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
> >> system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
> >
> > Unless systemd is coming along after file creation and relabeling it
> > to cgroup_t at that time.
>
> That wouldnt make sense to me, but yes i considered that as well. Ruled
> it out without actually confirming it. I actually added a rule:
>
> auditallow domain cgroup_t:dir create;
>
> and that also does not show grants for all the dirs in /sys/fs/cgroup
> (just some)
>
> voodoo
It wouldn't be create but rather relabelto permission (if systemd is
relabeling the file after the kernel creates it).
