| Message ID | 20230117172050.18462-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | mcstrans: preserve runtime directory | expand |
On Tue, Jan 17, 2023 at 12:36 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Do not remove the runtime directory /run/setrans/, which is the parent > for the security context translation socket .setrans-unix, when the > service is stopped, so the path can not be taken over by a foreign > program, which could lead to a compromise of the context translation of > libselinux. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > mcstrans/src/mcstrans.service | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service > index c13cd09a..fdcfb0d4 100644 > --- a/mcstrans/src/mcstrans.service > +++ b/mcstrans/src/mcstrans.service > @@ -9,6 +9,7 @@ Conflicts=shutdown.target > [Service] > ExecStart=/sbin/mcstransd -f > RuntimeDirectory=setrans > +RuntimeDirectoryPreserve=true > > [Install] > WantedBy=multi-user.target > -- > 2.39.0 >
Christian Göttsche <cgzones@googlemail.com> writes: > Do not remove the runtime directory /run/setrans/, which is the parent > for the security context translation socket .setrans-unix, when the > service is stopped, so the path can not be taken over by a foreign > program, which could lead to a compromise of the context translation of > libselinux. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> I lost Jim's Acked-by mail but according to https://lore.kernel.org/all/CAP+JOzSvvg_2pZ6aeLGs9Oqh2nK0zpBGAURwbofh9DSAT39iVw@mail.gmail.com/ it was acked and it's merged now. Thanks. > --- > mcstrans/src/mcstrans.service | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service > index c13cd09a..fdcfb0d4 100644 > --- a/mcstrans/src/mcstrans.service > +++ b/mcstrans/src/mcstrans.service > @@ -9,6 +9,7 @@ Conflicts=shutdown.target > [Service] > ExecStart=/sbin/mcstransd -f > RuntimeDirectory=setrans > +RuntimeDirectoryPreserve=true > > [Install] > WantedBy=multi-user.target > -- > 2.39.0
diff --git a/mcstrans/src/mcstrans.service b/mcstrans/src/mcstrans.service index c13cd09a..fdcfb0d4 100644 --- a/mcstrans/src/mcstrans.service +++ b/mcstrans/src/mcstrans.service @@ -9,6 +9,7 @@ Conflicts=shutdown.target [Service] ExecStart=/sbin/mcstransd -f RuntimeDirectory=setrans +RuntimeDirectoryPreserve=true [Install] WantedBy=multi-user.target
Do not remove the runtime directory /run/setrans/, which is the parent for the security context translation socket .setrans-unix, when the service is stopped, so the path can not be taken over by a foreign program, which could lead to a compromise of the context translation of libselinux. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- mcstrans/src/mcstrans.service | 1 + 1 file changed, 1 insertion(+)