-
Notifications
You must be signed in to change notification settings - Fork 124
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support systemd v246 #292
Comments
I am stuck with the same issue, currently considering a workaround by reverting systemd commit systemd/systemd@63e2d17 I do not feel switching udevadm to udev_exec_t is the correct approach. |
Hans-Christian Egtvedt <notifications@github.com> writes:
I am stuck with the same issue, currently considering a workaround by reverting systemd commit ***@***.***
I do not feel switching udevadm to udev_exec_t is the correct approach.
Why do you think that?
You might have to move some rules over and add in/remove some compatibility rules, but essentially it should be the
same code. That is why they decided to merge it. it was just duplicate
code occupying space. You can add a typealias for compatibility.
This is (at least some of it) what i did in my personal policy to
address this consolidation:
https://git.defensec.nl/?p=dssp3.git;a=commitdiff;h=848385ed4a145ac2967ab9a7f1d0715ebe741fd1
…
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
|
Dominick Grift <dominick.grift@defensec.nl> writes:
Hans-Christian Egtvedt ***@***.***> writes:
> I am stuck with the same issue, currently considering a workaround by reverting systemd commit ***@***.***
>
> I do not feel switching udevadm to udev_exec_t is the correct approach.
Why do you think that?
You might have to move some rules over and add in/remove some compatibility rules, but essentially it should be the
same code. That is why they decided to merge it. it was just duplicate
code occupying space. You can add a typealias for compatibility.
This is (at least some of it) what i did in my personal policy to
address this consolidation:
https://git.defensec.nl/?p=dssp3.git;a=commitdiff;h=848385ed4a145ac2967ab9a7f1d0715ebe741fd1
and this:
https://git.defensec.nl/?p=dssp3.git;a=commitdiff;h=533ffc74b2898183c9143f7faf16d86261906d7a
…>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub, or unsubscribe.
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
|
To me, it seems that we should change udevadm to udev_exec_t and then change the old udevadm transitions to be over udev_exec_t assuming there isn't a type transition conflict. |
Ack, I was mostly concerned about two quite different programs now being merged into one type, but I guess they will have the same needs with regards to access for things to work. |
I tuned my local policy file context to do And I also had to add the following policy And AFAICT things work as they should again, I see no violations and run in enforcing mode. The need for udev_t to access var_run_t:file types are due to my embedded target being a bit exotic, I think that can be ignored. |
I've been testing that fix locally for a while now, and it also fixes the issue. Should we send that fix as a PR ? Thanks, Maxime |
There is also a patch on the mail list that is aimed a resolving this, but it doesn't have the var_run_t rule. That sounds like a mislabeled file. |
Another approach is to use |
Drop init_system_domain() for udevadm to break type transition conflicts. Also fix interface naming issues for udevadm interfaces. Fixes SELinuxProject#292 Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Drop init_system_domain() for udevadm to break type transition conflicts. Also fix interface naming issues for udevadm interfaces. Fixes SELinuxProject#292 Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Since version 246 of systemd
/usr/lib/systemd/systemd-udevd
has become a symlink to/usr/bin/udevadm
.This means that udevd is now run in the udevadm_t domain, and that breaks things.
Original labels as reference:
The text was updated successfully, but these errors were encountered: