From 7a3e4dc38b3e3ef60d4886aa2c1cb871f49bfee9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Fri, 10 Jul 2020 21:37:44 +0200 Subject: [PATCH 1/3] basic: add helper function mknod_label() --- src/basic/label.c | 20 ++++++++++++++++++++ src/basic/label.h | 1 + 2 files changed, 21 insertions(+) diff --git a/src/basic/label.c b/src/basic/label.c index 1fce7718d4..741c43c2b9 100644 --- a/src/basic/label.c +++ b/src/basic/label.c @@ -45,6 +45,26 @@ int symlink_label(const char *old_path, const char *new_path) { return mac_smack_fix(new_path, 0); } +int mknod_label(const char *pathname, mode_t mode, dev_t dev) { + int r; + + assert(pathname); + + r = mac_selinux_create_file_prepare(pathname, mode); + if (r < 0) + return r; + + if (mknod(pathname, mode, dev) < 0) + r = -errno; + + mac_selinux_create_file_clear(); + + if (r < 0) + return r; + + return mac_smack_fix(pathname, 0); +} + int btrfs_subvol_make_label(const char *path) { int r; diff --git a/src/basic/label.h b/src/basic/label.h index a6f9074b28..6dc0f710ef 100644 --- a/src/basic/label.h +++ b/src/basic/label.h @@ -17,5 +17,6 @@ static inline int label_fix(const char *path, LabelFixFlags flags) { int mkdir_label(const char *path, mode_t mode); int mkdirat_label(int dirfd, const char *path, mode_t mode); int symlink_label(const char *old_path, const char *new_path); +int mknod_label(const char *pathname, mode_t mode, dev_t dev); int btrfs_subvol_make_label(const char *path); From 8d9cbd809db492df9d94c0c664bd0d2e53416531 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Fri, 10 Jul 2020 21:48:02 +0200 Subject: [PATCH 2/3] selinux: create standard user-runtime nodes with default context Currently systemd-user-runtime-dir does not create the files in /run/user/$UID/systemd/inaccessible with the default SELinux label. The user and role part of these labels should be based on the user related to $UID and not based on the process context of systemd-user-runtime-dir. Since v246-rc1 (9664be199af6) /run/user/$UID/systemd is also created by systemd-user-runtime-dir and should also be created with the default SELinux context. --- src/shared/dev-setup.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c index 6a280cde01..7641909c1b 100644 --- a/src/shared/dev-setup.c +++ b/src/shared/dev-setup.c @@ -103,9 +103,9 @@ int make_inaccessible_nodes( return log_oom(); if (S_ISDIR(table[i].mode)) - r = mkdir(path, table[i].mode & 07777); + r = mkdir_label(path, table[i].mode & 07777); else - r = mknod(path, table[i].mode, makedev(0, 0)); + r = mknod_label(path, table[i].mode, makedev(0, 0)); if (r < 0) { if (errno != EEXIST) log_debug_errno(errno, "Failed to create '%s', ignoring: %m", path); From abad72be4df9d5a13ceecd5b4d073adb370882b7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Fri, 10 Jul 2020 22:08:50 +0200 Subject: [PATCH 3/3] namespace: fix MAC labels of TemporaryFileSystem= Reproducible with: systemd-run -p TemporaryFileSystem=/root -t /bin/bash ls -dZ /root Prior: root:object_r:tmpfs_t:s0 /root Past: root:object_r:user_home_dir_t:s0 /root --- src/core/namespace.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/src/core/namespace.c b/src/core/namespace.c index b2bbcf58f2..ebdbb7545b 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -860,15 +860,23 @@ static int mount_procfs(const MountEntry *m) { } static int mount_tmpfs(const MountEntry *m) { + int r; + const char *entry_path = mount_entry_path(m); + const char *source_path = m->path_const; + assert(m); /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */ - (void) mkdir_p_label(mount_entry_path(m), 0755); - (void) umount_recursive(mount_entry_path(m), 0); + (void) mkdir_p_label(entry_path, 0755); + (void) umount_recursive(entry_path, 0); - if (mount("tmpfs", mount_entry_path(m), "tmpfs", m->flags, mount_entry_options(m)) < 0) - return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m)); + if (mount("tmpfs", entry_path, "tmpfs", m->flags, mount_entry_options(m)) < 0) + return log_debug_errno(errno, "Failed to mount %s: %m", entry_path); + + r = label_fix_container(entry_path, source_path, 0); + if (r < 0) + return log_error_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, source_path); return 1; }