"I'll just move my state dir to /var/lib like other system services, that should make it all work"
-
"I'll just move my state dir to /var/lib like other system services, that should make it all work"
SELinux: nice try scrub, you're not supposed to execute shit in /var/lib either, try again
It's funny because I was vaguely lamenting that the reference policy and Fedora's instantiation of it don't lock things down enough... But turns out they lock things down quite a lot.
-
"okay uh can I mark this file tree as unconfined then?"
SELinux: what kind of idiot do you take me for? (a) no of course not (b) even if you could, systemd still isn't allowed to execute shit from there. Try harder.
-
Okay FINE I'll pull up the manual again and figure out how to write a custom policy module and do this properly
-
I would just run my program in a permissive domain, but the whole point is it interacts with systemd and asks it to run stuff, at which point systemd's permission set is controlling.
-
This is the difference between theory and practice, I guess. I understand what's going on here in terms of the mechanics of why I'm not allowed to do stuff, but to understand how to fix it, I need to speed-learn a good chunk of Fedora's SELinux policy to understand what the moving parts are and what options I have.
It's fun, but also I can understand why people go "fuck it, permissive mode" and move on.
-
P [email protected] shared this topic
-
@[email protected] yeah i am so glad people actually enjoy making selinux policies for the programs i use otherwise i couldn't do squat
-
@[email protected] people writing SELinux policies, PAM modules & packaging software are the unappreciated custodial staff of *nix.
-
Dave Andersonreplied to Amber last edited by [email protected]
@puppygirlhornypost2 I'm also kinda shocked as I browse the live policy loaded into my laptop, I thought there wasn't that much lockdown going on aside from network-facing services, but my god there's a zillion type_transition rules from init_t to other stuff!
Trying to run icecast? Sure, I got a narrowly scoped happy path for that. Starting a login prompt? Hell yeah special confinement rules for that. Running an ancient sound server from 1998? Believe it or not, bespoke ruleset is yes.
-
@puppygirlhornypost2 And I guess I shouldn't be that surprised, but turns out the sort of people who write policies for mandatory access control systems didn't leave any obvious "oh you want to yolo? Sure, here you go, have some yolo"
-
@danderson @puppygirlhornypost2 this is fascinating, we feel like we're learning quite a bit about SELinux from the discussion. thank you!
-
@[email protected] @[email protected] yeah, it's even weirder because selinux has "profiles" governing how strict you want it to be.
-
Okay so I had the right idea _broadly_. I need to mark the executables I'm trying to run as 'bin_t', which is the default "executable not covered by more targeted policies" security label. systemd's SELinux domain (init_t) has a transition rule that allows it to execute bin_t binaries, and when it does those binaries transition to unconfined_t, aka "SELinux won't bother you too much, you just get old school unix DAC enforcement".
But hmm can I mark all my shit as bin_t or do I need subtlety...
-
@[email protected] @[email protected] sorry "Contexts" and "Policies"
-
CatSalad🐈🥗 (D.Burch) :blobcatrainbow:replied to Amber last edited by
@puppygirlhornypost2 @danderson @ireneista sexlinux is best thoug– oooh... selinux. Yeah, that's cool too, I guess. >_>
-
Amberreplied to CatSalad🐈🥗 (D.Burch) :blobcatrainbow: last edited by
@[email protected] @[email protected] @[email protected] that's just debian, the distribution for lesbians
