Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Label /sys before selinux-autorelabel units run (bsc#1232709) #37

Merged
merged 1 commit into from
Nov 14, 2024
Merged

Label /sys before selinux-autorelabel units run (bsc#1232709) #37

merged 1 commit into from
Nov 14, 2024

Conversation

ca-hu
Copy link
Contributor

@ca-hu ca-hu commented Nov 13, 2024

No description provided.

@ca-hu
Copy link
Contributor Author

ca-hu commented Nov 14, 2024

what i was wondering is, if it makes sense to only execute the selinux config file:

# SYSTEMD_LOG_LEVEL=debug systemd-tmpfiles --dry-run  --create --boot selinux-policy.conf  
Looking for configuration files in (higher priority first):
	/etc/tmpfiles.d
	/run/tmpfiles.d
	/usr/local/lib/tmpfiles.d
	/usr/lib/tmpfiles.d
Successfully loaded SELinux database in 4.357ms, size on heap is 10469K.
Reading config file "/usr/lib/tmpfiles.d/selinux-policy.conf"…
Running create action for entry z /sys/devices/system/cpu/online
Running create action for entry Z /sys/class/net
Running create action for entry z /sys/kernel/uevent_helper

what do you think?

@Vogtinator
Copy link
Member

I don't really mind either way, it won't make a difference in practice I think.

One benefit of using --prefix=/sys is that it does not have to hardcode the filename from the selinux-policy package.

@Vogtinator
Copy link
Member

/usr/lib/tmpfiles.d/tpm2-tss-fapi.conf also touches /sys, but might not be relevant during early boot:

#Type   Path                                           Mode User Group Age         Argument
d       /var/lib/tpm2-tss/system/keystore   2775 tss  tss   -           -
a+      /var/lib/tpm2-tss/system/keystore   -    -    -     -           default:group:tss:rwx
d       /run/tpm2-tss/eventlog                2775 tss  tss   -           -
a+      /run/tpm2-tss/eventlog                -    -    -     -           default:group:tss:rwx
z-      /sys/kernel/security/tpm[0-9]/binary_bios_measurements  0440  root tss  -           -
z-      /sys/kernel/security/ima/binary_runtime_measurements    0440  root tss  -           -

@ca-hu
Copy link
Contributor Author

ca-hu commented Nov 14, 2024

yeah that is why i am not so sure if this should be done twice, once with our service and once with the regular tmpfiles setup.... i kinda tend to the hardcoding option, but not sure

@Vogtinator
Copy link
Member

yeah that is why i am not so sure if this should be done twice, once with our service and once with the regular tmpfiles setup.... i kinda tend to the hardcoding option, but not sure

That's fine, tmpfiles is meant to be idempotent.

@ca-hu ca-hu force-pushed the master-1232709 branch 2 times, most recently from 23c9ffc to 9667dda Compare November 14, 2024 12:02
@ca-hu
Label /sys before selinux-autorelabel units run (bsc#1232709)
0435aa6 
Addresses:
Oct 31 08:19:17 localhost.localdomain kernel: audit: type=1400 audit(1730362757.524:6): avc:  denied  { read } for  pid=1753 comm="restorecon" name="online" dev="sysfs" ino=45 scontext=system_u:system_r:setfiles_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0
@ca-hu ca-hu marked this pull request as ready for review November 14, 2024 12:20
@Vogtinator Vogtinator merged commit 56cc33a into openSUSE:master Nov 14, 2024
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Vogtinator Vogtinator Vogtinator approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ca-hu @Vogtinator