Bug 2126879

Summary: [BACKPORT] init: Add tunable for systemd to create all its mountpoints
Product: Red Hat Enterprise Linux 9 Reporter: Pat Riehecky <riehecky>
Component: selinux-policyAssignee: Zdenek Pytela <zpytela>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: CentOS StreamCC: bstinson, jwboyer, lvrabec, mmalik, nknazeko
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pat Riehecky 2022-09-14 16:11:34 UTC 
Description of problem:
When using TemporaryFileSystem=/:ro and then the suggested
BindReadOnlyPaths=/dev/log /run/systemd/journal/socket /run/systemd/journal/stdout
to generate an isolated runtime with logging, selinux needs to permit
init_t to create files under the root_t and syslogd_var_run_t type.
This allows systemd to spin up a mount namespace for service isolation.

Version-Release number of selected component (if applicable):
selinux-policy-34.1.41-1.el9.noarch

How reproducible:
100%

Steps to Reproduce:
1. Try to use systemd's private mount isolation
2. get selinux errors
3.

Actual results:

selinux errors

Expected results:


For non-security mounting, only dir and file access are added, as these are the only ones allowed in the mounton call.


Additional info:

https://github.com/SELinuxProject/refpolicy/pull/535
Comment 1 Zdenek Pytela 2022-09-19 14:06:08 UTC 
Pat,

Thanks for reporting. As a first response I need to state that the referred commit is not one we can backport from refpolicy right away. We are currenly discussing with systemd folks how to approach issues like this in general.