[DSE-Dev] Bug#1029095: libselinux: claim /run/setrans directory
Laurent Bigonville
bigon at debian.org
Mon Jul 10 11:14:44 BST 2023
On Tue, 17 Jan 2023 17:44:13 +0100 =?UTF-8?Q?Christian_G=C3=B6ttsche?=
<cgzones at googlemail.com> wrote:
Hello Christian,
> Libselinux by default, since Debian does not specify DISABLE_SETRANS
> at compile time, tries to translate security contexts within non-raw
> interfaces, e.g. getfilecon(3). The purpose is to translate MCS/MLS
> labels into human readable via mcstransd(8). The translation happens
> via communication over the public accessible UNIX socket
> /var/run/setrans/.setrans-unix, created by mcstransd(8). mcstransd(8)
> however is not installed by default, not a dependency of another
> package, nor recommended or suggested by one. Thus mcstransd(8) is
> probably not running on many (most?) SELinux enabled systems and
> thereby the directory /var/run/setrans is not created. This leaves
> the opportunity for (compromised) programs to create it and the UNIX
> socket to take control of the security context translation. It might
> not be prevented by the SELinux policy since most daemons are allowed
> to create entries in /var/run and UNIX socket communication between
> daemons is common. As a solution the directory /var/run/setrans
> should be created at boot by a trusted party with the default context
> according to the loaded policy (e.g. setrans_runtime_t), which no
> other daemon than mcstransd(8) should have the permission to create
> sockets inside. For example Fedora uses the tmpfiles.d(5) snippet:
>
> d /run/setrans 0755 root root
I'm wondering if that couldn't be done directly by the systemd package
instead of the libselinux1, that might avoid us the need to introduce a
new libselinux-common package or headache in the (unlikely?) case there
a soname change to the libselinux library.
Note that we might need to remove the RuntimeDirectory=setrans option in
the mcstrans.service to avoid conflict (but that might be for the next
debian release)
If that's OK for you I'll coordinate with the debian systemd maintainer
Kind regards,
Laurent
More information about the SELinux-devel
mailing list