Bug#775613: systemd: why is /run/systemd/inhibit/1.ref inherited?
Russell Coker
russell at coker.com.au
Thu Oct 1 06:59:52 BST 2015
On Thu, 1 Oct 2015 08:00:45 AM Michael Biebl wrote:
> On Sun, 18 Jan 2015 11:07:40 +1100 Russell Coker <russell at coker.com.au>
> wrote:
> > Package: systemd
> > Version: 215-9
> > Severity: normal
> >
> >
> > type=AVC msg=audit(1421538903.417:232): avc: denied { use } for
> > pid=23546 comm="kded4" path="/run/systemd/inhibit/1.ref" dev="tmpfs"
> > ino=91124 scontext=rjc:user_r:user_t:s0-s0:c0.c1023
> > tcontext=system_u:system_r:systemd_logind_t:s0 tclass=fd permissive=0
> >
> > When I login via kdm the KDE user processes (and presumably user
> > processes from any other desktop environment) inherit
> > /run/systemd/inhibit/1.ref.
> >
> > Is this desired? If so why? I have SE Linux preventing it and
> > everything works.
>
> I'm not sure what the problem is here.
> Can you elaborate?
If a socket or pipe is inherited from a system process to a process running as
a user there is a possibility of a security problem. Generally if there is no
reason for such access to be granted then it should not be granted. The file
handle could be closed before exec or it could be set to close on exec.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
More information about the Pkg-systemd-maintainers
mailing list