[DSE-Dev] Bug#863800: systemd ignores SELinuxContext= when User=/Group= is set
Laurent Bigonville
bigon at debian.org
Wed May 31 11:37:42 UTC 2017
Package: systemd
Version: 232-24
Severity: normal
User: selinux-devel at lists.alioth.debian.org
Usertags: selinux
Forwarded: https://github.com/systemd/systemd/issues/5875
Hi,
It seems that systemd is ignoring SELinuxContext= when User=/Group= is
set.
This is fixed in current git HEAD (see
https://github.com/systemd/systemd/pull/5883) by:
>From 6d395665e5ce7b64f3de4c9550c0779843e6cc44 Mon Sep 17 00:00:00 2001
From: Gary Tierney <gary.tierney at gmx.com>
Date: Tue, 2 May 2017 17:42:19 +0100
Subject: [PATCH] Revert "selinux: split up mac_selinux_have() from
mac_selinux_use()"
This reverts commit 6355e75610a8d47fc3ba5ab8bd442172a2cfe574.
The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER. In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID. Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.
Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.
Could you please cherrypick this patch and maybe the other one ( audit-fd:
check for CAP_AUDIT_WRITE before opening an audit socket) as well for stretch?
Regards,
Laurent Bigonville
-- Package-specific info:
-- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages systemd depends on:
ii adduser 3.115
ii libacl1 2.2.52-3+b1
ii libapparmor1 2.11.0-3
ii libaudit1 1:2.6.7-2
ii libblkid1 2.29.2-1
ii libc6 2.24-11
ii libcap2 1:2.25-1
ii libcryptsetup4 2:1.7.3-4
ii libgcrypt20 1.7.6-1
ii libgpg-error0 1.26-2
ii libidn11 1.33-1
ii libip4tc0 1.6.0+snapshot20161117-6
ii libkmod2 24-1
ii liblz4-1 0.0~r131-2+b1
ii liblzma5 5.2.2-1.2+b1
ii libmount1 2.29.2-1
ii libpam0g 1.1.8-3.6
ii libseccomp2 2.3.1-2.1
ii libselinux1 2.6-3+b1
ii libsystemd0 232-24
ii mount 2.29.2-1
ii procps 2:3.3.12-3
ii util-linux 2.29.2-1
Versions of packages systemd recommends:
ii dbus 1.10.18-1
ii libpam-systemd 232-24
Versions of packages systemd suggests:
ii policykit-1 0.105-18
ii systemd-container 232-24
pn systemd-ui <none>
Versions of packages systemd is related to:
pn dracut <none>
ii initramfs-tools 0.130
ii udev 232-24
-- no debconf information
More information about the SELinux-devel
mailing list