Make systemd_tmpfiles_t MLS trusted for lowering the level of files #1758
Conversation
|
Please let me know if you need additional clarifications from my side. FYI, below is the corresponding error message in /var/log/messages this commit addresses.
I understand this is started being observed with mls when systemd-tmpfiles service started using /usr/lib/tmpfiles.d/static-nodes-permissions.conf to set permissions and security contexts of device files including /dev/fuse because of the following commit: tmpfiles: override permissions of static nodes that need this |
|
Please include the audit denial and the additional information in the commit. |
Need to make systemd_tmpfiles_t MLS trusted for lowering the level of files as the domain needs to lower the levels of device files when mls is used. Specifically, systemd_tmpfiles_t needs to lower the sensitivity level of /dev/fuse from s15 to s0. This commit addresses the following error message in /var/log/messages: audit: SELINUX_ERR op=security_validate_transition seresult=denied oldcontext=system_u:object_r:fuse_device_t:s15:c0.c1023 newcontext=system_u:object_r:fuse_device_t:s0 taskcontext=system_u:system_r:systemd_tmpfiles_t:s0-s15:c0.c1023 tclass=chr_file I understand this is started being observed with mls when systemd-tmpfiles service started using /usr/lib/tmpfiles.d/static-nodes-permissions.conf to set permissions and security contexts of device files including /dev/fuse because of the following commit: tmpfiles: override permissions of static nodes that need this systemd/systemd@1f9290f Note that another option we could consider would be to change the default sensitivity level of /dev/fuse from s0 to s15 so that the sensitivity level does not need to be lowered from s15 to s0 in the first place. However, the default sensitivity level of /dev/fuse was intentionally changed from s15 (mls_systemhigh) to s0 in the following commit before. Thus, changing it back to s15 (mls_systemhigh) would not be a good idea. /dev/fuse should be s0 not mls_high fedora-selinux@105e85a Signed-off-by: Naoki Tanaka <naoki.tanaka@oracle.com>
done |
|
Thank you. I know I keep bothering you, but the commit message is important especially from long-term perspective in commits like this. |
No problem at all. Could you merge this now that I have added the info to the commit message as you requested? |
|
Sure, thank you. |
Need to make systemd_tmpfiles_t MLS trusted for lowering the level of files as the domain needs to lower the levels of device files when mls is used.
Specifically, systemd_tmpfiles_t needs to lower the sensitivity level of /dev/fuse from s15 to s0.
Note that another way we could consider is to change the default sensitivity level of /dev/fuse from s0 to s15 so that the sensitivity level does not need to be lowered from s15 to s0 in the first place. However, the default sensitivity level of /dev/fuse was intentionally changed from s15 (mls_systemhigh) to s0 in the following commit before. So, I don't understand changing it back to s15 (mls_systemhigh) is a good idea.
/dev/fuse should be s0 not mls_high
105e85a