Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow systemd-ssh-generator to load net-pf-40 #2329

Closed
wants to merge 1 commit into from
Closed

Allow systemd-ssh-generator to load net-pf-40 #2329

wants to merge 1 commit into from

Conversation

ca-hu
Copy link
Contributor

@ca-hu ca-hu commented Aug 28, 2024

see:
https://www.freedesktop.org/software/systemd/man/devel/systemd-ssh-generator.html "systemd-ssh-generator binds a socket-activated SSH server to local AF_VSOCK"

and modinfo suggests net-pf-40 to be the kernel modules for virtual sockets

Fixes:

Aug 22 05:17:20 localhost kernel: audit: type=1400 audit(1724303839.663:5): avc: denied { module_request } for pid=593 comm="systemd-ssh-gen" kmod="net-pf-40" scontext=system_u:system_r:systemd_ssh_generator_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

@ca-hu
Allow systemd-ssh-generator to load net-pf-40
fa1dd32 
see:
https://www.freedesktop.org/software/systemd/man/devel/systemd-ssh-generator.html
"systemd-ssh-generator binds a socket-activated SSH server to local AF_VSOCK"

and modinfo suggests net-pf-40 to be the kernel modules for virtual sockets

Fixes:
> Aug 22 05:17:20 localhost kernel: audit: type=1400 audit(1724303839.663:5): avc:  denied  { module_request } for  pid=593 comm="systemd-ssh-gen" kmod="net-pf-40" scontext=system_u:system_r:systemd_ssh_generator_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=system permissive=0

Signed-off-by: Cathy Hu <[email protected]>
@ca-hu
Copy link
Contributor Author

ca-hu commented Aug 28, 2024

see https://bugzilla.suse.com/show_bug.cgi?id=1229766

@zpytela
Copy link
Contributor

zpytela commented Aug 28, 2024

@ca-hu I have 2 questions:

  • Do you use policy for F40 or was domain_kernel_load_modules turned off? In F41+ the permission is allowed by default for domain.

  • Do you have any comprehensive test for ssh-generator? So far, we seem to add permissions as they a reported for one use case, it would help if some real user of this feature could check what else is needed, especially when vsock is involved.

zpytela
zpytela reviewed Aug 28, 2024
View reviewed changes
policy/modules/system/systemd.te
@@ -1366,6 +1366,7 @@ allow systemd_ssh_generator_t self:vsock_socket create;
allow systemd_ssh_generator_t vsock_device_t:chr_file { read_chr_file_perms };

dev_read_sysfs(systemd_ssh_generator_t)
kernel_request_load_module(systemd_ssh_generator_t)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please note kernel is an exempt from alphabetical order and goes first.
https://github.com/fedora-selinux/selinux-policy/blob/rawhide/policy/modules/system/systemd.te#L608

@ca-hu
Copy link
Contributor Author

ca-hu commented Aug 28, 2024

Do you use policy for F40 or was domain_kernel_load_modules turned off? In F41+ the permission is allowed by default for domain.

Ah okay, no we just saw this downstream in the opensuse policy, I think we can close this then. Thanks!

@ca-hu ca-hu closed this Aug 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zpytela zpytela zpytela left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ca-hu @zpytela