[DSE-Dev] Bug#863800: systemd ignores SELinuxContext= when User=/Group= is set

Laurent Bigonville bigon at debian.org
Wed May 31 11:37:42 UTC 2017 

Package: systemd
Version: 232-24
Severity: normal
User: selinux-devel at lists.alioth.debian.org
Usertags: selinux
Forwarded: https://github.com/systemd/systemd/issues/5875

Hi,

It seems that systemd is ignoring SELinuxContext= when User=/Group= is
set.

This is fixed in current git HEAD (see
https://github.com/systemd/systemd/pull/5883) by:

>From 6d395665e5ce7b64f3de4c9550c0779843e6cc44 Mon Sep 17 00:00:00 2001
From: Gary Tierney <gary.tierney at gmx.com>
Date: Tue, 2 May 2017 17:42:19 +0100
Subject: [PATCH] Revert "selinux: split up mac_selinux_have() from
 mac_selinux_use()"

This reverts commit 6355e75610a8d47fc3ba5ab8bd442172a2cfe574.

The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER.  In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID.  Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.

Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.


Could you please cherrypick this patch and maybe the other one ( audit-fd:
check for CAP_AUDIT_WRITE before opening an audit socket) as well for stretch?

Regards,

Laurent Bigonville

-- Package-specific info:

-- System Information:
Debian Release: 9.0
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.9.0-3-amd64 (SMP w/4 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages systemd depends on:
ii  adduser         3.115
ii  libacl1         2.2.52-3+b1
ii  libapparmor1    2.11.0-3
ii  libaudit1       1:2.6.7-2
ii  libblkid1       2.29.2-1
ii  libc6           2.24-11
ii  libcap2         1:2.25-1
ii  libcryptsetup4  2:1.7.3-4
ii  libgcrypt20     1.7.6-1
ii  libgpg-error0   1.26-2
ii  libidn11        1.33-1
ii  libip4tc0       1.6.0+snapshot20161117-6
ii  libkmod2        24-1
ii  liblz4-1        0.0~r131-2+b1
ii  liblzma5        5.2.2-1.2+b1
ii  libmount1       2.29.2-1
ii  libpam0g        1.1.8-3.6
ii  libseccomp2     2.3.1-2.1
ii  libselinux1     2.6-3+b1
ii  libsystemd0     232-24
ii  mount           2.29.2-1
ii  procps          2:3.3.12-3
ii  util-linux      2.29.2-1

Versions of packages systemd recommends:
ii  dbus            1.10.18-1
ii  libpam-systemd  232-24

Versions of packages systemd suggests:
ii  policykit-1        0.105-18
ii  systemd-container  232-24
pn  systemd-ui         <none>

Versions of packages systemd is related to:
pn  dracut           <none>
ii  initramfs-tools  0.130
ii  udev             232-24

-- no debconf information

More information about the SELinux-devel mailing list