Re: [systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check
On Thu, 18.06.15 18:29, HATAYAMA Daisuke (d.hatay...@jp.fujitsu.com) wrote: int r; STRV_FOREACH(i, units) { -u = manager_get_unit(m, *i); +r = manager_load_unit(m, *i, NULL, error, u); +if (r 0) +return r; if (u) { +if (u-load_error != 0) +return u-load_error; r = mac_selinux_unit_access_check(u, message, permission, error); if (r 0) return r; I commented on the issue now in github, could you please follow up there? https://github.com/systemd/systemd/pull/145 Thanks for your reviewing. However, unfortunately, I cannot use github for some reason for now. So, please let me discuss in the mailing list. I'm sorry for the inconvenience. I don't think we should check this, it doesn't matter if we managed to successfully load the unit or not, we should still allow access either way. Sorry, I don't understand well. Do you mean removing this SELinux unit access check? If so, it means that current logic since the following commit, is changed, right? No, I meant tjust the u-load_error != 0 check, and the one line following it. The SELinux check following that should stay. I guess this related to the question you raised in the other thread: Unit objects may or may not have a unit file on disk attached, and that's completely OK. We should do the access check on the label of the unit file if we have one, and otherwise fall back to some more generic selinux access check. Specifically that means here that u-load_error is nothing we need to explicitly check, as mac_selinux_unit_access_check() already has a generic fallback if the unit doesn't have a file associated. Long story short: just remove the two lines I pointed out, and leave the mac_selinux_unit_access_check() in place and all should be good. Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check
From: Lennart Poettering lenn...@poettering.net Subject: Re: [systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check Date: Thu, 18 Jun 2015 13:30:43 +0200 On Thu, 18.06.15 18:29, HATAYAMA Daisuke (d.hatay...@jp.fujitsu.com) wrote: int r; STRV_FOREACH(i, units) { -u = manager_get_unit(m, *i); +r = manager_load_unit(m, *i, NULL, error, u); +if (r 0) +return r; if (u) { +if (u-load_error != 0) +return u-load_error; r = mac_selinux_unit_access_check(u, message, permission, error); if (r 0) return r; I commented on the issue now in github, could you please follow up there? https://github.com/systemd/systemd/pull/145 Thanks for your reviewing. However, unfortunately, I cannot use github for some reason for now. So, please let me discuss in the mailing list. I'm sorry for the inconvenience. I don't think we should check this, it doesn't matter if we managed to successfully load the unit or not, we should still allow access either way. Sorry, I don't understand well. Do you mean removing this SELinux unit access check? If so, it means that current logic since the following commit, is changed, right? No, I meant tjust the u-load_error != 0 check, and the one line following it. The SELinux check following that should stay. I see. I guess this related to the question you raised in the other thread: Unit objects may or may not have a unit file on disk attached, and that's completely OK. We should do the access check on the label of the unit file if we have one, and otherwise fall back to some more generic selinux access check. Specifically that means here that u-load_error is nothing we need to explicitly check, as mac_selinux_unit_access_check() already has a generic fallback if the unit doesn't have a file associated. Long story short: just remove the two lines I pointed out, and leave the mac_selinux_unit_access_check() in place and all should be good. I see. I'll post v3 patch soon. Also, I'll include in the v3 patch set, a patch related to the question I raised in http://lists.freedesktop.org/archives/systemd-devel/2015-June/033104.html. -- Thanks. HATAYAMA, Daisuke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check
From: Lennart Poettering lenn...@poettering.net Subject: Re: [systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check Date: Wed, 17 Jun 2015 18:25:32 +0200 On Wed, 10.06.15 14:40, HATAYAMA Daisuke (d.hatay...@jp.fujitsu.com) wrote: From 398deee74edb06b54b8a74c25697cd6d977d8f2d Mon Sep 17 00:00:00 2001 From: HATAYAMA Daisuke d.hatay...@jp.fujitsu.com Date: Wed, 10 Jun 2015 14:10:31 +0900 Subject: [PATCH] selinux: fix missing SELinux unit access check Currently, SELinux unit access check is not performed if a given unit file has not been registered in a hash table. This is because function manager_get_unit() only tries to pick up a Unit object from a Unit hash table. Instead, we use function manager_load_unit() searching Unit file pathes for the given Unit file. --- src/core/selinux-access.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) v2: - checking an error status by u-load_error to cover UNIT_ERROR case. diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index decd42f..ac52906 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units, int r; STRV_FOREACH(i, units) { -u = manager_get_unit(m, *i); +r = manager_load_unit(m, *i, NULL, error, u); +if (r 0) +return r; if (u) { +if (u-load_error != 0) +return u-load_error; r = mac_selinux_unit_access_check(u, message, permission, error); if (r 0) return r; I commented on the issue now in github, could you please follow up there? https://github.com/systemd/systemd/pull/145 Thanks for your reviewing. However, unfortunately, I cannot use github for some reason for now. So, please let me discuss in the mailing list. I'm sorry for the inconvenience. I don't think we should check this, it doesn't matter if we managed to successfully load the unit or not, we should still allow access either way. Sorry, I don't understand well. Do you mean removing this SELinux unit access check? If so, it means that current logic since the following commit, is changed, right? $ git log -1 -p 4f7385fa496242f06aaf358b66b28d71348607b3 commit 4f7385fa496242f06aaf358b66b28d71348607b3 Author: Lubomir Rintel lkund...@v3.sk Date: Fri Dec 6 14:05:49 2013 +0100 selinux: Check access vector for enable/disable perm for each unit file SELinux check will be done using the context of the unit file as as a target instead of the default init_t context, allowing selinux control on the level of individual units. https://bugzilla.redhat.com/show_bug.cgi?id=1022762 -- Thanks. HATAYAMA, Daisuke ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check
On Wed, 10.06.15 14:40, HATAYAMA Daisuke (d.hatay...@jp.fujitsu.com) wrote: From 398deee74edb06b54b8a74c25697cd6d977d8f2d Mon Sep 17 00:00:00 2001 From: HATAYAMA Daisuke d.hatay...@jp.fujitsu.com Date: Wed, 10 Jun 2015 14:10:31 +0900 Subject: [PATCH] selinux: fix missing SELinux unit access check Currently, SELinux unit access check is not performed if a given unit file has not been registered in a hash table. This is because function manager_get_unit() only tries to pick up a Unit object from a Unit hash table. Instead, we use function manager_load_unit() searching Unit file pathes for the given Unit file. --- src/core/selinux-access.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) v2: - checking an error status by u-load_error to cover UNIT_ERROR case. diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index decd42f..ac52906 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units, int r; STRV_FOREACH(i, units) { -u = manager_get_unit(m, *i); +r = manager_load_unit(m, *i, NULL, error, u); +if (r 0) +return r; if (u) { +if (u-load_error != 0) +return u-load_error; r = mac_selinux_unit_access_check(u, message, permission, error); if (r 0) return r; I commented on the issue now in github, could you please follow up there? https://github.com/systemd/systemd/pull/145 Lennart -- Lennart Poettering, Red Hat ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check
Patchset imported to github. To create a pull request, one of the main developers has to initiate one via: https://github.com/systemd/systemd/compare/master...systemd-mailing-devs:20150610.144033.42163196.d.hatayama%40jp.fujitsu.com -- Generated by https://github.com/haraldh/mail2git ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: [systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check
Am 10.06.2015 um 08:05 schrieb systemd github import bot: Patchset imported to github. To create a pull request, one of the main developers has to initiate one via: https://github.com/systemd/systemd/compare/master...systemd-mailing-devs:20150610.144033.42163196.d.hatayama%40jp.fujitsu.com imported as PR: https://github.com/systemd/systemd/pull/145 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
[systemd-devel] [PATCH v2] selinux: fix missing SELinux unit access check
I found an oversight in the previous v1 patch, found at http://lists.freedesktop.org/archives/systemd-devel/2015-June/032796.html, that u-load_state == UNIT_ERROR in the error path of unit_load(), that is: int unit_load(Unit *u) { int r; ...cut... fail: u-load_state = u-load_state == UNIT_STUB ? UNIT_NOT_FOUND : UNIT_ERROR; u-load_error = r; unit_add_to_dbus_queue(u); unit_add_to_gc_queue(u); log_unit_debug_errno(u, r, Failed to load configuration: %m); return r; } To fix this, this v2 version looks at u-load_error to check error status instead of u-load_state. How to reproduce Assume that test.service has not been loaded (even tried to get loaded) in this boot. Then, ~]# cat ./foo.sh #! /bin/sh mv test.service /etc/systemd/system systemctl daemon-reload systemctl enable test.service ~]# ./foo.sh Test I used selinux-context branch of https://github.com/keszybz/systemd.git in this test to avoid the issue in https://bugzilla.redhat.com/show_bug.cgi?id=1224211. -- Thanks. HATAYAMA, Daisuke From 398deee74edb06b54b8a74c25697cd6d977d8f2d Mon Sep 17 00:00:00 2001 From: HATAYAMA Daisuke d.hatay...@jp.fujitsu.com Date: Wed, 10 Jun 2015 14:10:31 +0900 Subject: [PATCH] selinux: fix missing SELinux unit access check Currently, SELinux unit access check is not performed if a given unit file has not been registered in a hash table. This is because function manager_get_unit() only tries to pick up a Unit object from a Unit hash table. Instead, we use function manager_load_unit() searching Unit file pathes for the given Unit file. --- src/core/selinux-access.c | 6 +- 1 file changed, 5 insertions(+), 1 deletion(-) v2: - checking an error status by u-load_error to cover UNIT_ERROR case. diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index decd42f..ac52906 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -292,8 +292,12 @@ int mac_selinux_unit_access_check_strv(char **units, int r; STRV_FOREACH(i, units) { -u = manager_get_unit(m, *i); +r = manager_load_unit(m, *i, NULL, error, u); +if (r 0) +return r; if (u) { +if (u-load_error != 0) +return u-load_error; r = mac_selinux_unit_access_check(u, message, permission, error); if (r 0) return r; -- 2.1.0 ___ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel