Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

systemd-homed: various fixups #839

Merged
merged 16 commits into from
Dec 10, 2024
Merged

Conversation

WavyEbuilder
Copy link
Contributor

Commit messages for each commit should explain more, let me know if you have any more questions.

Thanks!

systemd-homed provides a varlink API with a unix socket at
/run/systemd/userdb/io.systemd.Home to query user account records. As
quite a few things will need to be able to query this API for basic
functionality to work - such as `groups(1)` being able to operate on
systemd-homed user accounts - let's make an interface for this.

Signed-off-by: Rahul Sandhu <[email protected]>
systemd-homed user records rely on being able to talk to the dbus and
varlink APIs provided to obtain basic account information such as user
id, name, group membership, etc as they do not have /etc/passwd,
/etc/group or /etc/shadow fields. For tty login to work for homed user
accounts, local_login_t needs to be able to lookup this information, so
let's grant it the ability to.

Signed-off-by: Rahul Sandhu <[email protected]>
systemd-homed user records stored in identity files are machine-id
specific and signed, so systemd-homed needs access to /etc/machine-id to
create those records properly.

Signed-off-by: Rahul Sandhu <[email protected]>
systemd-homed stores LUKS home images as `/home/username.home`, so let's
label that appropriately.

Signed-off-by: Rahul Sandhu <[email protected]>
For commands such as `groups(1)` to work, nsswitch_domain needs to be
able to talk to /run/systemd/userdb/io.systemd.Home to obtain
information on systemd-homed users.

Signed-off-by: Rahul Sandhu <[email protected]>
As systemd-homed's workdir is an internal one, and external domains may
be (reasonably) expected to connect to systemd_homed_runtime_t in the
future, let's create a new domain for systemd-homed's internal work to
differentiate between the two.

Signed-off-by: Rahul Sandhu <[email protected]>
systemd-homed needs access to `/run/cryptsetup` to properly setup and
unlock LUKS encrypted home directories.

Signed-off-by: Rahul Sandhu <[email protected]>
As systemd identity files contain sensitive data, such as password
hashes, let's create a new type systemd_homed_record_t for them. As
systemd_homework_t needs to be able to read, create, and delete these
files, let's give it permissions to do so.

Signed-off-by: Rahul Sandhu <[email protected]>
Copy link
Member

@pebenito pebenito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also some lint issues in the github actions.

policy/modules/system/systemd.if Outdated Show resolved Hide resolved
policy/modules/system/systemd.fc Show resolved Hide resolved
policy/modules/system/systemd.te Outdated Show resolved Hide resolved
policy/modules/system/systemd.te Outdated Show resolved Hide resolved
@WavyEbuilder WavyEbuilder requested a review from pebenito December 4, 2024 21:48
policy/modules/system/systemd.if Show resolved Hide resolved
policy/modules/system/systemd.te Outdated Show resolved Hide resolved
@pebenito pebenito merged commit 3b28edc into SELinuxProject:main Dec 10, 2024
118 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants