commit: f062077321cb890d203c806aa51c0e8ff3991990 Author: Nicolas Iooss <nicolas.iooss <AT> m4x <DOT> org> AuthorDate: Fri Dec 15 21:48:23 2017 +0000 Commit: Sven Vermeulen <swift <AT> gentoo <DOT> org> CommitDate: Thu Jan 18 16:31:04 2018 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=f0620773
corecommands: label systemd script directories bin_t systemd defines in /usr/lib/systemd several directories which can contain scripts or executable files: - system-environment-generators/ and user-environment-generators/ documented in https://www.freedesktop.org/software/systemd/man/systemd.environment-generator.html - system-shutdown/ documented in https://www.freedesktop.org/software/systemd/man/systemd-halt.service.html - system-sleep/ documented in https://www.freedesktop.org/software/systemd/man/systemd-suspend.service.html Currently the content of these directories is labelled lib_t, which causes the following AVC on Arch Linux: avc: denied { execute_no_trans } for pid=10308 comm="systemd" path="/usr/lib/systemd/system-environment-generators/10-arch" dev="vda1" ino=543182 scontext=system_u:system_r:init_t tcontext=system_u:object_r:lib_t tclass=file permissive=1 For information /usr/lib/systemd/system-environment-generators/10-arch only defines $PATH and its content is available on https://git.archlinux.org/svntogit/packages.git/tree/trunk/env-generator?h=packages/filesystem policy/modules/kernel/corecommands.fc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc index 6409fcdd..9bdcb747 100644 --- a/policy/modules/kernel/corecommands.fc +++ b/policy/modules/kernel/corecommands.fc @@ -225,7 +225,11 @@ ifdef(`distro_gentoo',` /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/lib/systemd/systemd.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/systemd/system-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-shutdown(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/system-sleep(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/systemd/user-environment-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/systemd/user-generators(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/tumbler-1/tumblerd -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udev/[^/]* -- gen_context(system_u:object_r:bin_t,s0)
