On Thu, Mar 23, 2023 at 9:55 AM Matthew Sheets
<masheets@xxxxxxxxxxxxxxxxxxx> wrote:
>
>
>
> On 3/22/2023 10:27 AM, Stephen Smalley wrote:
> > On Wed, Mar 22, 2023 at 1:07 PM Matthew Sheets
> > <masheets@xxxxxxxxxxxxxxxxxxx> wrote:
> >> I helped the author of the initial PR that started this discussion. We
> >> knew we needed a new unique label and I suggested that we try a named
> >> file trans pattern from init_t just to see if it works, and it seemed to
> >> right out of the gates. We didn't need to flip any other switches on
> >> our test environment.
> >>
> >> Here is an example of an AVC we are seeing:
> >> AVC avc: denied { getattr } for pid=5953 comm="systemd"
> >> path="/sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service/memory.pressure"
> >> dev="cgroup2" ino=27721 scontext=unconfined_u:unconfined_r:unconfined_t
> >> tcontext=system_u:object_r:memory_pressure_t tclass=file permissive=0
> >>
> >> I do fear there is something different from the other folks that have
> >> tested this and our setup, since out setup is fairly bespoke compared to
> >> your standard Linux distro. But off the top of my head I don't know any
> >> special setting we would have in place to make this work.
> >
> > Questions:
> > - Did systemd or some other userspace process first set the context of
> > /sys/fs/cgroup/user.slice/user-1000.slice/user@1000.service
> > explicitly?
> > - Could you post the exact type_transition rule(s) from your policy,
> > e.g. sesearch -T -s unconfined_t -D memory_pressure_t?
> > - Does ls -Z of the file also report that context?
> > - Kernel version?
>
> 1. We believe it is systemd. At the very least its nothing we are
> directly doing.
> 2. type_transition init_t cgroup_t:file memory_pressure_t memory.pressure;
> In the above example unconfined_t was just trying to access it but
> we have the trans coming from init_t
> 3. Yes ls -Z shows the proper context as well.
> 4. For this specific test it was 5.10.154 but we have 5.10.x in some
> of our other testing environments.
So if I add that type_transition to Fedora policy and reboot, some of
the memory.pressure files are labeled memory_pressure_t while others
are labeled cgroup_t, as shown below. Im guessing this has to do with
what process was current when the file was created (or some files
created before policy load), but not sure.
$ sudo find /sys/fs/cgroup -name memory.pressure -exec ls -Z {} \;
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/sys-fs-fuse-connections.mount/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/sys-kernel-config.mount/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/sys-kernel-debug.mount/memory.pressure
system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/dev-mqueue.mount/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/user.slice/user-982.slice/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/user.slice/user-982.slice/session-c1.scope/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/user.slice/user-982.slice/user@982.service/memory.pressure
unconfined_u:object_r:cgroup_t:s0
/sys/fs/cgroup/user.slice/user-982.slice/user@982.service/app.slice/memory.pressure
unconfined_u:object_r:cgroup_t:s0
/sys/fs/cgroup/user.slice/user-982.slice/user@982.service/app.slice/dbus.socket/memory.pressure
unconfined_u:object_r:cgroup_t:s0
/sys/fs/cgroup/user.slice/user-982.slice/user@982.service/init.scope/memory.pressure
system_u:object_r:memory_pressure_t:s0 /sys/fs/cgroup/user.slice/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/user.slice/user-0.slice/session-2.scope/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/user.slice/user-0.slice/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/memory.pressure
unconfined_u:object_r:cgroup_t:s0
/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/app.slice/memory.pressure
unconfined_u:object_r:cgroup_t:s0
/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/app.slice/dbus.socket/memory.pressure
unconfined_u:object_r:cgroup_t:s0
/sys/fs/cgroup/user.slice/user-0.slice/user@0.service/init.scope/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/sys-kernel-tracing.mount/memory.pressure
system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/init.scope/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/irqbalance.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/abrt-journal-core.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/mcafee.ma.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/sysroot.mount/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/nessusagent.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-udevd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-udevd.service/udev/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/dbus-broker.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-homed.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/oddjobd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/boot.mount/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/vgauthd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/cockpit.socket/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/polkit.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/chronyd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/auditd.service/memory.pressure
system_u:object_r:cgroup_t:s0 /sys/fs/cgroup/system.slice/memory.pressure
system_u:object_r:cgroup_t:s0
'/sys/fs/cgroup/system.slice/system-sshd\x2dkeygen.slice/memory.pressure'
system_u:object_r:cgroup_t:s0
'/sys/fs/cgroup/system.slice/system-dbus\x2d:1.3\x2dorg.fedoraproject.SetroubleshootPrivileged.slice/memory.pressure'
system_u:object_r:cgroup_t:s0
'/sys/fs/cgroup/system.slice/system-dbus\x2d:1.3\x2dorg.fedoraproject.SetroubleshootPrivileged.slice/dbus-:1.3-org.fedoraproject.SetroubleshootPrivileged@1.service/memory.pressure'
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/dev-zram0.swap/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/abrt-xorg.service/memory.pressure
system_u:object_r:cgroup_t:s0
'/sys/fs/cgroup/system.slice/system-systemd\x2dzram\x2dsetup.slice/memory.pressure'
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/system-modprobe.slice/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/libvirtd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/ModemManager.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-journald.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/atd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/sshd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/crond.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/NetworkManager.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-machined.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/gssproxy.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/rpc-gssd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/rsyslog.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/abrtd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/tmp.mount/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/firewalld.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-userdbd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/setroubleshootd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/vmtoolsd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/sssd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/cups.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-oomd.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/mcelog.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-resolved.service/memory.pressure
system_u:object_r:cgroup_t:s0
'/sys/fs/cgroup/system.slice/system-lvm2\x2dpvscan.slice/memory.pressure'
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/system-getty.slice/getty@tty1.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/system-getty.slice/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/avahi-daemon.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/systemd-logind.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/abrt-oops.service/memory.pressure
system_u:object_r:cgroup_t:s0
/sys/fs/cgroup/system.slice/var-lib-nfs-rpc_pipefs.mount/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/machine.slice/memory.pressure
system_u:object_r:memory_pressure_t:s0
/sys/fs/cgroup/dev-hugepages.mount/memory.pressure
