Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: > On Mon, Mar 20, 2023 at 2:19 PM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: >> >> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: >> >> > On Mon, Mar 20, 2023 at 1:53 PM Stephen Smalley >> > <stephen.smalley.work@xxxxxxxxx> wrote: >> >> >> >> On Mon, Mar 20, 2023 at 1:28 PM Stephen Smalley >> >> <stephen.smalley.work@xxxxxxxxx> wrote: >> >> > Hmm...that's interesting. I just tried in Fedora using one of the >> >> > type_transitions already defined in the default policy and although it >> >> > appears to use the type_transition to compute the new SID for the >> >> > create check, ls -Z of the file after creation showed it labeled >> >> > cgroup_t instead. So it doesn't appear to be working or I am doing it >> >> > wrong. >> >> >> >> Reproducer, on F34, >> >> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots >> >> mkdir: cannot create directory >> >> ‘/sys/fs/cgroup/system.slice/.snapshots’: Permission denied >> >> $ sudo ausearch -m AVC -ts recent -i >> >> ---- >> >> type=AVC msg=audit(03/20/2023 13:00:04.699:47156) : avc: denied { >> >> associate } for pid=152325 comm=mkdir name=.snapshots >> >> scontext=unconfined_u:object_r:snapperd_data_t:s0 >> >> tcontext=system_u:object_r:cgroup_t:s0 tclass=filesystem permissive=0 >> >> $ seinfo --fs_use | grep cgroup >> >> $ seinfo --genfscon | grep cgroup >> >> genfscon cgroup / system_u:object_r:cgroup_t:s0 >> >> genfscon cgroup2 / system_u:object_r:cgroup_t:s0 >> >> $ sesearch -T -s unconfined_t -t cgroup_t -c dir >> >> type_transition unconfined_t cgroup_t:dir snapperd_data_t .snapshots >> >> $ sudo setenforce 0 >> >> $ sudo mkdir /sys/fs/cgroup/system.slice/.snapshots >> >> $ ls -Zd /sys/fs/cgroup/system.slice/.snapshots >> >> system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/.snapshots >> > >> > Unless systemd is coming along after file creation and relabeling it >> > to cgroup_t at that time. >> >> That wouldnt make sense to me, but yes i considered that as well. Ruled >> it out without actually confirming it. I actually added a rule: >> >> auditallow domain cgroup_t:dir create; >> >> and that also does not show grants for all the dirs in /sys/fs/cgroup >> (just some) >> >> voodoo > > It wouldn't be create but rather relabelto permission (if systemd is > relabeling the file after the kernel creates it). Yes I know but I didn't add it to audit relabelto, i added it to audit the create since the dirs are created there in the first place (i guess). Even though I doubt that a relabel resets it - I will try it out just to confirm. Something does not add up. -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift