Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
> On Mon, Mar 20, 2023 at 2:19 PM Dominick Grift
> <dominick.grift@xxxxxxxxxxx> wrote:
>>
>> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
>>
>> > On Mon, Mar 20, 2023 at 1:53 PM Stephen Smalley
>> > <stephen.smalley.work@xxxxxxxxx> wrote:
>> >>
>> >> On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley
>> >> <stephen.smalley.work@xxxxxxxxx> wrote:
>> >> > Hmm...that's interesting. I just tried in Fedora using one of the
>> >> > type_transitions already defined in the default policy and although it
>> >> > appears to use the type_transition to compute the new SID for the
>> >> > create check, ls -Z of the file after creation showed it labeled
>> >> > cgroup_t instead. So it doesn't appear to be working or I am doing it
>> >> > wrong.
>> >>
>> >> Reproducer, on F34,
>> >> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
>> >> mkdir: cannot create directory
>> >> ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied
>> >> $ sudo ausearch -m AVC -ts recent -i
>> >> ----
>> >> type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc: denied {
>> >> associate } for pid=152325 comm=mkdir name=.snapshots
>> >> scontext=unconfined_u:object_r:snapperd_data_t:s0
>> >> tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0
>> >> $ seinfo --fs_use | grep cgroup
>> >> $ seinfo --genfscon | grep cgroup
>> >> genfscon cgroup / system_u:object_r:cgroup_t:s0
>> >> genfscon cgroup2 / system_u:object_r:cgroup_t:s0
>> >> $ sesearch -T -s unconfined_t -t cgroup_t -c dir
>> >> type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots
>> >> $ sudo setenforce 0
>> >> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots
>> >> $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots
>> >> system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots
>> >
>> > Unless systemd is coming along after file creation and relabeling it
>> > to cgroup_t at that time.
>>
>> That wouldnt make sense to me, but yes i considered that as well. Ruled
>> it out without actually confirming it. I actually added a rule:
>>
>> auditallow domain cgroup_t:dir create;
>>
>> and that also does not show grants for all the dirs in /sys/fs/cgroup
>> (just some)
>>
>> voodoo
>
> It wouldn't be create but rather relabelto permission (if systemd is
> relabeling the file after the kernel creates it).
Yes I know but I didn't add it to audit relabelto, i added it to audit
the create since the dirs are created there in the first place (i guess).
Even though I doubt that a relabel resets it - I will try it out just to
confirm. Something does not add up.
--
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
