Label systemd configuration files with systemd_conf_t

fedora-selinux / selinux-policy

selinux-policy for Fedora is a large patch off the mainline

GNU General Public License v2.0

156 stars 157 forks source link

Label systemd configuration files with systemd_conf_t #2114

Closed zpytela closed 1 month ago

zpytela commented 1 month ago

The systemd_conf_t type was added as default file context for files with the .conf suffix and .conf.d directories in /etc/systemd, /run/systemd, and /usr/lib/systemd. The /usr/local/lib/systemd directory is covered by file equivalency. The systemd_domain attribute was allowed read access to these files.

Refer to https://github.com/systemd/systemd/blob/main/NEWS CHANGES WITH 256-rc1: General Changes and New Features:

    * Various programs will now attempt to load the main configuration file
      from locations below /usr/lib/, /usr/local/lib/, and /run/, not just
      below /etc/. For example, systemd-logind will look for
      /etc/systemd/logind.conf, /run/systemd/logind.conf,
      /usr/local/lib/systemd/logind.conf, and /usr/lib/systemd/logind.conf,
      and use the first file that is found.  This means that the search
      logic for the main config file and for drop-ins is now the same.

Resolves: rhbz#2279923

packit-as-a-service[bot] commented 1 month ago

Cockpit tests failed for commit c02e96b814499fa10deb1dba7dcd1a059bb23ff7. @martinpitt, @jelly, @mvollmer please check.

martinpitt commented 1 month ago

Interesting -- this breaks systemctl disable --now dnf-automatic dnf-automatic-install, which feels a little too specific to this PR to be a coincidence. @mvollmer @jelly can you please take over? I'm on my way out to PTO, sorry.

zpytela commented 1 month ago

This PR was expected to have unpredictable impact, but I don't see any relation to dnf neither I can reproduce it. What I can confirm is some mess regarding dnf4 and dnf5 plugins in rawhide.

If you find any particular problem, please point me to it. I am not going to merge this PR right away.

AdamWill commented 1 month ago

@martinpitt we landed the move from dnf 4 to dnf 5 by default in rawhide yesterday. it seems more likely that that would cause the problem than this PR?

martinpitt commented 1 month ago

@AdamWill Ah! That would be it then, dnf5-automatic doesn't have the -install service/timer variant any more. Thanks!

packit-as-a-service[bot] commented 1 month ago

Cockpit tests failed for commit d5249315f51d9c316aee3b8c20079f30233cc6a4. @martinpitt, @jelly, @mvollmer please check.

packit-as-a-service[bot] commented 1 month ago

Cockpit tests failed for commit 119064be0e5a1e639daf8366dc440bdabffa79bb. @martinpitt, @jelly, @mvollmer please check.

packit-as-a-service[bot] commented 1 month ago

Cockpit tests failed for commit 6bba703294606cbee204a78b0e131c28c9033537. @martinpitt, @jelly, @mvollmer please check.

packit-as-a-service[bot] commented 1 month ago

Cockpit tests failed for commit c0bac7440cd8c15620fb6c254cb7379ceaaec3a5. @martinpitt, @jelly, @mvollmer please check.