Bug 2110012
| Summary: | Support all init_t <=> install_t operations that also work with init_t <=> unconfined_t | |||
|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Colin Walters <walters> | |
| Component: | selinux-policy | Assignee: | Zdenek Pytela <zpytela> | |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | |
| Severity: | medium | Docs Contact: | ||
| Priority: | low | |||
| Version: | 36 | CC: | dwalsh, grepl.miroslav, lvrabec, mmalik, omosnace, pkoncity, vmojzis, zpytela | |
| Target Milestone: | --- | Keywords: | Triaged | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | ||
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 2111206 (view as bug list) | Environment: | ||
| Last Closed: | 2022-09-12 13:14:35 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 2111206 | |||
|
Description
Colin Walters
2022-07-22 18:03:43 UTC
Alternatively, perhaps what I may try to do in the future is have rpm-ostree fork a child process copy of itself that is wrapped with e.g. `runcon -t install_t` or so, but that would require changing the policy to drop the install_exec_t for /usr/bin/rpm-ostree which would break older versions, unless we can figure out a way to do this compatibly. Should work in rawhide already:
rawhide# sesearch -A -s init_t -t install_t -c unix_stream_socket -p bind,create,listen,setopt
allow init_t install_t:unix_stream_socket { accept append bind connect connectto create getattr getopt ioctl listen lock read setattr setopt shutdown write };
rawhide# rpm -q selinux-policy
selinux-policy-37.7-1.fc37.noarch
Also note install_t is an unconfined domain, most of possible permissions are already allowed, IPC are one of the exceptions.
Thanks! I'd be nice to ship this in RHEL 9.1 if at all possible; anything I can do to help with that? I think potentially we can avoid depending on this in F36 lifetime. (In reply to Colin Walters from comment #3) > Thanks! I'd be nice to ship this in RHEL 9.1 if at all possible; anything I > can do to help with that? > I think potentially we can avoid depending on this in F36 lifetime. Please clone the bz for RHEL 9 then, but note it is quite late in the development cycle. (In reply to Colin Walters from comment #3) > Thanks! I'd be nice to ship this in RHEL 9.1 if at all possible; anything I > can do to help with that? > I think potentially we can avoid depending on this in F36 lifetime. I don't quite understand. There is a solution in F37, should it be backported to F36, too? Just checked the commit has been backported. Ah, thanks for backporting. I had meant to say I think it *didn't* need to be backported, but doing so will definitely make our lives easier in the future. Thanks again! |