Daemons writing into HOME_DIR - Stefan Schulze Frielinghaus

SELinux-Refpolicy Archive mirror
 help / color / mirror / Atom feed

From: Stefan Schulze Frielinghaus <ml@stefansf.de>
To: selinux-refpolicy@vger.kernel.org
Subject: Daemons writing into HOME_DIR
Date: Tue, 3 May 2022 19:01:28 +0200	[thread overview]
Message-ID: <YnFf6JEPww4pUwKy@fedora> (raw)

Hi all,

In short I'm wondering what the refpolicy way is to let a daemon write into
HOME_DIR and how those files---especially the SELinux user part---should be
labeled?

Currently I have a daemon (systemd service) running under context

  system_u:system_r:foobar_t:s0

and the policy contains

  init_daemon_domain(foobar_t, foobar_exec_t)

The daemon reads and writes files under HOME_DIR/foobar which are labeled as
foobar_rw_t and the policy has the following file context entry:

  HOME_DIR/foobar(/.*)? gen_context(system_u:object_r:foobar_rw_t,s0)

However, newly created files still seem to have a wrong user according to
restorecon (the daemon runs under Linux user marge which is assigned to SELinux
user user_u):

  $ restorecon -FRvn /home/marge/foobar
  Would relabel /home/marge/foobar/baz from system_u:object_r:foobar_rw_t:s0 to user_u:object_r:foobar_rw_t:s0

It looks like as if user_u wins over system_u for files under HOME_DIR.  This
does not have any effect on the functionality of the daemon, however, it still
feels wrong to me.  So I'm wondering how to fix this and thought about:

1) Can/Should a daemon run under a different SELinux user than system_u?

2) Another option, which I think is worse, would be to the change the SELinux
user from user_u to system_u for Linux user marge under which the daemon runs.

3) A third option would be to keep the users as is, i.e., let the daemon run
under system_u and let marge be assigned to user_u, but tweak the policy to keep
the file context labels under HOME_DIR with system_u.

Any thoughts?

(PS: the daemon cannot be reconfigured in order to write into a different
directory than HOME_DIR)

Cheers,
Stefan

next             reply	other threads:[~2022-05-03 17:10 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-05-03 17:01 Stefan Schulze Frielinghaus [this message]
2022-05-03 18:19 ` Daemons writing into HOME_DIR Chris PeBenito
2022-05-05 16:44   ` Stefan Schulze Frielinghaus

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YnFf6JEPww4pUwKy@fedora \
    --to=ml@stefansf.de \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).