This patch is based on comments from previous a patch to
remove the many uses of kernel_dgram_send() and incorporate
it into logging_send_syslog_msg().
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/admin/aide.te | 1 -
policy/modules/admin/usermanage.te | 5 -----
policy/modules/services/dbus.te | 3 ---
policy/modules/system/authlogin.te | 5 -----
policy/modules/system/init.if | 2 --
policy/modules/system/init.te | 3 ---
policy/modules/system/logging.if | 2 ++
policy/modules/system/logging.te | 4 ----
policy/modules/system/systemd.te | 5 -----
policy/modules/system/udev.te | 1 -
10 files changed, 2 insertions(+), 29 deletions(-)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 30deba09..f5e64a86 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
-kernel_dgram_send(aide_t)
kernel_read_crypto_sysctls(aide_t)
logging_send_audit_msgs(aide_t)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 5753741b..4a10bf84 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t)
# on user home dir
userdom_dontaudit_search_user_home_content(passwd_t)
-ifdef(`init_systemd',`
- # for journald /dev/log
- kernel_dgram_send(passwd_t)
-')
-
optional_policy(`
nscd_run(passwd_t, passwd_roles)
')
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 9c085876..c05370dd 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -162,9 +162,6 @@ ifdef(`init_systemd', `
# for /run/systemd/dynamic-uid/
init_list_pids(system_dbusd_t)
init_read_runtime_symlinks(system_dbusd_t)
-
- # for journald /dev/log
- kernel_dgram_send(system_dbusd_t)
')
optional_policy(`
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 28f74bac..2cf86952 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',`
')
')
-ifdef(`init_systemd',`
- # for journald /dev/log
- kernel_dgram_send(chkpwd_t)
-')
-
optional_policy(`
# apache leaks file descriptors
apache_dontaudit_rw_tcp_sockets(chkpwd_t)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index fef2c88e..00bd4991 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -306,8 +306,6 @@ interface(`init_daemon_domain',`
ifdef(`init_systemd',`
init_domain($1, $2)
- # this may be because of late labelling
- kernel_dgram_send($1)
allow $1 init_t:unix_dgram_socket sendto;
')
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index a12d151b..3e8eb2da 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -272,7 +272,6 @@ ifdef(`init_systemd',`
kernel_dyntrans_to(init_t)
kernel_read_network_state(init_t)
- kernel_dgram_send(init_t)
kernel_stream_connect(init_t)
kernel_getattr_proc(init_t)
kernel_read_fs_sysctls(init_t)
@@ -969,8 +968,6 @@ ifdef(`init_systemd',`
allow initrc_t systemdunit:service reload;
allow initrc_t init_script_file_type:service { stop start status reload };
- kernel_dgram_send(initrc_t)
-
# run systemd misc initializations
# in the initrc_t domain, as would be
# done in traditional sysvinit/upstart.
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 7b7644f7..1f696b7f 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',`
ifdef(`init_systemd',`
# Allow systemd-journald to check whether the process died
allow syslogd_t $1:process signull;
+
+ kernel_dgram_send($1)
')
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0c5be1cd..02f268ea 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t)
sysnet_dns_name_resolve(audisp_t)
-ifdef(`init_systemd',`
- kernel_dgram_send(audisp_t)
-')
-
optional_policy(`
dbus_system_bus_client(audisp_t)
')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f6455f6f..cf9241c0 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -266,7 +266,6 @@ systemd_log_parse_environment(systemd_gpt_generator_t)
allow systemd_cgroups_t self:capability net_admin;
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
-kernel_dgram_send(systemd_cgroups_t)
# for /proc/cmdline
kernel_read_system_state(systemd_cgroups_t)
@@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_netw
manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t)
-kernel_dgram_send(systemd_networkd_t)
kernel_read_system_state(systemd_networkd_t)
kernel_read_kernel_sysctls(systemd_networkd_t)
kernel_read_network_state(systemd_networkd_t)
@@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t)
init_dgram_send(systemd_networkd_t)
init_read_state(systemd_networkd_t)
-logging_send_syslog_msg(systemd_networkd_t)
-
miscfiles_read_localization(systemd_networkd_t)
sysnet_read_config(systemd_networkd_t)
@@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir)
dev_read_sysfs(systemd_resolved_t)
-kernel_dgram_send(systemd_resolved_t)
kernel_read_crypto_sysctls(systemd_resolved_t)
kernel_read_kernel_sysctls(systemd_resolved_t)
kernel_read_net_sysctls(systemd_resolved_t)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index ff564280..f00de30d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t)
kernel_read_kernel_sysctls(udev_t)
kernel_rw_hotplug_sysctls(udev_t)
kernel_rw_unix_dgram_sockets(udev_t)
-kernel_dgram_send(udev_t)
kernel_signal(udev_t)
kernel_search_debugfs(udev_t)
kernel_search_key(udev_t)
--
2.20.1
Why does the kernel need such access?
On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote:
> This patch is based on comments from previous a patch to
> remove the many uses of kernel_dgram_send() and incorporate
> it into logging_send_syslog_msg().
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/admin/aide.te | 1 -
> policy/modules/admin/usermanage.te | 5 -----
> policy/modules/services/dbus.te | 3 ---
> policy/modules/system/authlogin.te | 5 -----
> policy/modules/system/init.if | 2 --
> policy/modules/system/init.te | 3 ---
> policy/modules/system/logging.if | 2 ++
> policy/modules/system/logging.te | 4 ----
> policy/modules/system/systemd.te | 5 -----
> policy/modules/system/udev.te | 1 -
> 10 files changed, 2 insertions(+), 29 deletions(-)
>
> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
> index 30deba09..f5e64a86 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
> files_read_all_files(aide_t)
> files_read_all_symlinks(aide_t)
>
> -kernel_dgram_send(aide_t)
> kernel_read_crypto_sysctls(aide_t)
>
> logging_send_audit_msgs(aide_t)
> diff --git a/policy/modules/admin/usermanage.te
> b/policy/modules/admin/usermanage.te
index 5753741b..4a10bf84 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t)
> # on user home dir
> userdom_dontaudit_search_user_home_content(passwd_t)
>
> -ifdef(`init_systemd',`
> - # for journald /dev/log
> - kernel_dgram_send(passwd_t)
> -')
> -
> optional_policy(`
> nscd_run(passwd_t, passwd_roles)
> ')
> diff --git a/policy/modules/services/dbus.te
> b/policy/modules/services/dbus.te
index 9c085876..c05370dd 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -162,9 +162,6 @@ ifdef(`init_systemd', `
> # for /run/systemd/dynamic-uid/
> init_list_pids(system_dbusd_t)
> init_read_runtime_symlinks(system_dbusd_t)
> -
> - # for journald /dev/log
> - kernel_dgram_send(system_dbusd_t)
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/authlogin.te
> b/policy/modules/system/authlogin.te
index 28f74bac..2cf86952 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',`
> ')
> ')
>
> -ifdef(`init_systemd',`
> - # for journald /dev/log
> - kernel_dgram_send(chkpwd_t)
> -')
> -
> optional_policy(`
> # apache leaks file descriptors
> apache_dontaudit_rw_tcp_sockets(chkpwd_t)
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index fef2c88e..00bd4991 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',`
>
> ifdef(`init_systemd',`
> init_domain($1, $2)
> - # this may be because of late labelling
> - kernel_dgram_send($1)
>
> allow $1 init_t:unix_dgram_socket sendto;
> ')
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index a12d151b..3e8eb2da 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -272,7 +272,6 @@ ifdef(`init_systemd',`
>
> kernel_dyntrans_to(init_t)
> kernel_read_network_state(init_t)
> - kernel_dgram_send(init_t)
> kernel_stream_connect(init_t)
> kernel_getattr_proc(init_t)
> kernel_read_fs_sysctls(init_t)
> @@ -969,8 +968,6 @@ ifdef(`init_systemd',`
> allow initrc_t systemdunit:service reload;
> allow initrc_t init_script_file_type:service { stop start status reload
> };
> - kernel_dgram_send(initrc_t)
> -
> # run systemd misc initializations
> # in the initrc_t domain, as would be
> # done in traditional sysvinit/upstart.
> diff --git a/policy/modules/system/logging.if
> b/policy/modules/system/logging.if
index 7b7644f7..1f696b7f 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',`
> ifdef(`init_systemd',`
> # Allow systemd-journald to check whether the process died
> allow syslogd_t $1:process signull;
> +
> + kernel_dgram_send($1)
> ')
> ')
>
> diff --git a/policy/modules/system/logging.te
> b/policy/modules/system/logging.te
index 0c5be1cd..02f268ea 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t)
>
> sysnet_dns_name_resolve(audisp_t)
>
> -ifdef(`init_systemd',`
> - kernel_dgram_send(audisp_t)
> -')
> -
> optional_policy(`
> dbus_system_bus_client(audisp_t)
> ')
> diff --git a/policy/modules/system/systemd.te
> b/policy/modules/system/systemd.te
index f6455f6f..cf9241c0 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -266,7 +266,6 @@ systemd_log_parse_environment(systemd_gpt_generator_t)
> allow systemd_cgroups_t self:capability net_admin;
>
> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> -kernel_dgram_send(systemd_cgroups_t)
> # for /proc/cmdline
> kernel_read_system_state(systemd_cgroups_t)
>
> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t,
> systemd_networkd_var_run_t, systemd_netw
> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t,
> systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> -kernel_dgram_send(systemd_networkd_t)
> kernel_read_system_state(systemd_networkd_t)
> kernel_read_kernel_sysctls(systemd_networkd_t)
> kernel_read_network_state(systemd_networkd_t)
> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t)
> init_dgram_send(systemd_networkd_t)
> init_read_state(systemd_networkd_t)
>
> -logging_send_syslog_msg(systemd_networkd_t)
> -
> miscfiles_read_localization(systemd_networkd_t)
>
> sysnet_read_config(systemd_networkd_t)
> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t,
> systemd_resolved_var_run_t, dir)
> dev_read_sysfs(systemd_resolved_t)
>
> -kernel_dgram_send(systemd_resolved_t)
> kernel_read_crypto_sysctls(systemd_resolved_t)
> kernel_read_kernel_sysctls(systemd_resolved_t)
> kernel_read_net_sysctls(systemd_resolved_t)
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index ff564280..f00de30d 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t)
> kernel_read_kernel_sysctls(udev_t)
> kernel_rw_hotplug_sysctls(udev_t)
> kernel_rw_unix_dgram_sockets(udev_t)
> -kernel_dgram_send(udev_t)
> kernel_signal(udev_t)
> kernel_search_debugfs(udev_t)
> kernel_search_key(udev_t)
> --
> 2.20.1
>
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 4/9/19 9:00 PM, Russell Coker wrote:
> Why does the kernel need such access?
I'm not sure I understand your question. Are you asking why the
kernel_dgram_send() access is needed by syslog? This is because many
domains send messages to the journal.
I have been adding this interface as needed throughout the policy as I'm
seeing issues. It was suggested to move this interface use into
logging_send_syslog_msg as that is the same concept and most domains log
already.
This patch is mostly removing uses of kernel_dgram_send and just adding
it one place.
>
> On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote:
>> This patch is based on comments from previous a patch to
>> remove the many uses of kernel_dgram_send() and incorporate
>> it into logging_send_syslog_msg().
>>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> policy/modules/admin/aide.te | 1 -
>> policy/modules/admin/usermanage.te | 5 -----
>> policy/modules/services/dbus.te | 3 ---
>> policy/modules/system/authlogin.te | 5 -----
>> policy/modules/system/init.if | 2 --
>> policy/modules/system/init.te | 3 ---
>> policy/modules/system/logging.if | 2 ++
>> policy/modules/system/logging.te | 4 ----
>> policy/modules/system/systemd.te | 5 -----
>> policy/modules/system/udev.te | 1 -
>> 10 files changed, 2 insertions(+), 29 deletions(-)
>>
>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>> index 30deba09..f5e64a86 100644
>> --- a/policy/modules/admin/aide.te
>> +++ b/policy/modules/admin/aide.te
>> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>> files_read_all_files(aide_t)
>> files_read_all_symlinks(aide_t)
>>
>> -kernel_dgram_send(aide_t)
>> kernel_read_crypto_sysctls(aide_t)
>>
>> logging_send_audit_msgs(aide_t)
>> diff --git a/policy/modules/admin/usermanage.te
>> b/policy/modules/admin/usermanage.te
> index 5753741b..4a10bf84 100644
>> --- a/policy/modules/admin/usermanage.te
>> +++ b/policy/modules/admin/usermanage.te
>> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t)
>> # on user home dir
>> userdom_dontaudit_search_user_home_content(passwd_t)
>>
>> -ifdef(`init_systemd',`
>> - # for journald /dev/log
>> - kernel_dgram_send(passwd_t)
>> -')
>> -
>> optional_policy(`
>> nscd_run(passwd_t, passwd_roles)
>> ')
>> diff --git a/policy/modules/services/dbus.te
>> b/policy/modules/services/dbus.te
> index 9c085876..c05370dd 100644
>> --- a/policy/modules/services/dbus.te
>> +++ b/policy/modules/services/dbus.te
>> @@ -162,9 +162,6 @@ ifdef(`init_systemd', `
>> # for /run/systemd/dynamic-uid/
>> init_list_pids(system_dbusd_t)
>> init_read_runtime_symlinks(system_dbusd_t)
>> -
>> - # for journald /dev/log
>> - kernel_dgram_send(system_dbusd_t)
>> ')
>>
>> optional_policy(`
>> diff --git a/policy/modules/system/authlogin.te
>> b/policy/modules/system/authlogin.te
> index 28f74bac..2cf86952 100644
>> --- a/policy/modules/system/authlogin.te
>> +++ b/policy/modules/system/authlogin.te
>> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',`
>> ')
>> ')
>>
>> -ifdef(`init_systemd',`
>> - # for journald /dev/log
>> - kernel_dgram_send(chkpwd_t)
>> -')
>> -
>> optional_policy(`
>> # apache leaks file descriptors
>> apache_dontaudit_rw_tcp_sockets(chkpwd_t)
>> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
>> index fef2c88e..00bd4991 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',`
>>
>> ifdef(`init_systemd',`
>> init_domain($1, $2)
>> - # this may be because of late labelling
>> - kernel_dgram_send($1)
>>
>> allow $1 init_t:unix_dgram_socket sendto;
>> ')
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index a12d151b..3e8eb2da 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -272,7 +272,6 @@ ifdef(`init_systemd',`
>>
>> kernel_dyntrans_to(init_t)
>> kernel_read_network_state(init_t)
>> - kernel_dgram_send(init_t)
>> kernel_stream_connect(init_t)
>> kernel_getattr_proc(init_t)
>> kernel_read_fs_sysctls(init_t)
>> @@ -969,8 +968,6 @@ ifdef(`init_systemd',`
>> allow initrc_t systemdunit:service reload;
>> allow initrc_t init_script_file_type:service { stop start status reload
>> };
>
>> - kernel_dgram_send(initrc_t)
>> -
>> # run systemd misc initializations
>> # in the initrc_t domain, as would be
>> # done in traditional sysvinit/upstart.
>> diff --git a/policy/modules/system/logging.if
>> b/policy/modules/system/logging.if
> index 7b7644f7..1f696b7f 100644
>> --- a/policy/modules/system/logging.if
>> +++ b/policy/modules/system/logging.if
>> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',`
>> ifdef(`init_systemd',`
>> # Allow systemd-journald to check whether the process died
>> allow syslogd_t $1:process signull;
>> +
>> + kernel_dgram_send($1)
>> ')
>> ')
>>
>> diff --git a/policy/modules/system/logging.te
>> b/policy/modules/system/logging.te
> index 0c5be1cd..02f268ea 100644
>> --- a/policy/modules/system/logging.te
>> +++ b/policy/modules/system/logging.te
>> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t)
>>
>> sysnet_dns_name_resolve(audisp_t)
>>
>> -ifdef(`init_systemd',`
>> - kernel_dgram_send(audisp_t)
>> -')
>> -
>> optional_policy(`
>> dbus_system_bus_client(audisp_t)
>> ')
>> diff --git a/policy/modules/system/systemd.te
>> b/policy/modules/system/systemd.te
> index f6455f6f..cf9241c0 100644
>> --- a/policy/modules/system/systemd.te
>> +++ b/policy/modules/system/systemd.te
>> @@ -266,7 +266,6 @@ systemd_log_parse_environment(systemd_gpt_generator_t)
>> allow systemd_cgroups_t self:capability net_admin;
>>
>> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
>> -kernel_dgram_send(systemd_cgroups_t)
>> # for /proc/cmdline
>> kernel_read_system_state(systemd_cgroups_t)
>>
>> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t,
>> systemd_networkd_var_run_t, systemd_netw
>> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
>> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t,
>> systemd_networkd_var_run_t, systemd_networkd_var_run_t)
>> -kernel_dgram_send(systemd_networkd_t)
>> kernel_read_system_state(systemd_networkd_t)
>> kernel_read_kernel_sysctls(systemd_networkd_t)
>> kernel_read_network_state(systemd_networkd_t)
>> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t)
>> init_dgram_send(systemd_networkd_t)
>> init_read_state(systemd_networkd_t)
>>
>> -logging_send_syslog_msg(systemd_networkd_t)
>> -
>> miscfiles_read_localization(systemd_networkd_t)
>>
>> sysnet_read_config(systemd_networkd_t)
>> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t,
>> systemd_resolved_var_run_t, dir)
>
>> dev_read_sysfs(systemd_resolved_t)
>>
>> -kernel_dgram_send(systemd_resolved_t)
>> kernel_read_crypto_sysctls(systemd_resolved_t)
>> kernel_read_kernel_sysctls(systemd_resolved_t)
>> kernel_read_net_sysctls(systemd_resolved_t)
>> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
>> index ff564280..f00de30d 100644
>> --- a/policy/modules/system/udev.te
>> +++ b/policy/modules/system/udev.te
>> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t)
>> kernel_read_kernel_sysctls(udev_t)
>> kernel_rw_hotplug_sysctls(udev_t)
>> kernel_rw_unix_dgram_sockets(udev_t)
>> -kernel_dgram_send(udev_t)
>> kernel_signal(udev_t)
>> kernel_search_debugfs(udev_t)
>> kernel_search_key(udev_t)
>> --
>> 2.20.1
>>
>
Why is a socket that everything sends to labeled as kernel_t?
On Wednesday, 10 April 2019 11:07:29 AM AEST Sugar, David wrote:
> On 4/9/19 9:00 PM, Russell Coker wrote:
>
> > Why does the kernel need such access?
>
>
> I'm not sure I understand your question. Are you asking why the
> kernel_dgram_send() access is needed by syslog? This is because many
> domains send messages to the journal.
>
> I have been adding this interface as needed throughout the policy as I'm
> seeing issues. It was suggested to move this interface use into
> logging_send_syslog_msg as that is the same concept and most domains log
> already.
>
> This patch is mostly removing uses of kernel_dgram_send and just adding
> it one place.
>
>
> >
> > On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote:
> >
> >> This patch is based on comments from previous a patch to
> >> remove the many uses of kernel_dgram_send() and incorporate
> >> it into logging_send_syslog_msg().
> >>
> >>
> >>
> >> Signed-off-by: Dave Sugar <[email protected]>
> >> ---
> >>
> >> policy/modules/admin/aide.te | 1 -
> >> policy/modules/admin/usermanage.te | 5 -----
> >> policy/modules/services/dbus.te | 3 ---
> >> policy/modules/system/authlogin.te | 5 -----
> >> policy/modules/system/init.if | 2 --
> >> policy/modules/system/init.te | 3 ---
> >> policy/modules/system/logging.if | 2 ++
> >> policy/modules/system/logging.te | 4 ----
> >> policy/modules/system/systemd.te | 5 -----
> >> policy/modules/system/udev.te | 1 -
> >> 10 files changed, 2 insertions(+), 29 deletions(-)
> >>
> >>
> >>
> >> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
> >> index 30deba09..f5e64a86 100644
> >> --- a/policy/modules/admin/aide.te
> >> +++ b/policy/modules/admin/aide.te
> >> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
> >>
> >> files_read_all_files(aide_t)
> >> files_read_all_symlinks(aide_t)
> >>
> >>
> >> -kernel_dgram_send(aide_t)
> >>
> >> kernel_read_crypto_sysctls(aide_t)
> >>
> >> logging_send_audit_msgs(aide_t)
> >>
> >> diff --git a/policy/modules/admin/usermanage.te
> >> b/policy/modules/admin/usermanage.te
> >>
> > index 5753741b..4a10bf84 100644
> >>
> >> --- a/policy/modules/admin/usermanage.te
> >> +++ b/policy/modules/admin/usermanage.te
> >> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t)
> >>
> >> # on user home dir
> >> userdom_dontaudit_search_user_home_content(passwd_t)
> >>
> >>
> >> -ifdef(`init_systemd',`
> >> - # for journald /dev/log
> >> - kernel_dgram_send(passwd_t)
> >> -')
> >> -
> >>
> >> optional_policy(`
> >>
> >> nscd_run(passwd_t, passwd_roles)
> >>
> >> ')
> >>
> >> diff --git a/policy/modules/services/dbus.te
> >> b/policy/modules/services/dbus.te
> >>
> > index 9c085876..c05370dd 100644
> >>
> >> --- a/policy/modules/services/dbus.te
> >> +++ b/policy/modules/services/dbus.te
> >> @@ -162,9 +162,6 @@ ifdef(`init_systemd', `
> >>
> >> # for /run/systemd/dynamic-uid/
> >> init_list_pids(system_dbusd_t)
> >> init_read_runtime_symlinks(system_dbusd_t)
> >>
> >> -
> >> - # for journald /dev/log
> >> - kernel_dgram_send(system_dbusd_t)
> >>
> >> ')
> >>
> >> optional_policy(`
> >>
> >> diff --git a/policy/modules/system/authlogin.te
> >> b/policy/modules/system/authlogin.te
> >>
> > index 28f74bac..2cf86952 100644
> >>
> >> --- a/policy/modules/system/authlogin.te
> >> +++ b/policy/modules/system/authlogin.te
> >> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',`
> >>
> >> ')
> >>
> >> ')
> >>
> >>
> >> -ifdef(`init_systemd',`
> >> - # for journald /dev/log
> >> - kernel_dgram_send(chkpwd_t)
> >> -')
> >> -
> >>
> >> optional_policy(`
> >>
> >> # apache leaks file descriptors
> >> apache_dontaudit_rw_tcp_sockets(chkpwd_t)
> >>
> >> diff --git a/policy/modules/system/init.if
> >> b/policy/modules/system/init.if
> >> index fef2c88e..00bd4991 100644
> >> --- a/policy/modules/system/init.if
> >> +++ b/policy/modules/system/init.if
> >> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',`
> >>
> >>
> >>
> >> ifdef(`init_systemd',`
> >>
> >> init_domain($1, $2)
> >>
> >> - # this may be because of late labelling
> >> - kernel_dgram_send($1)
> >>
> >>
> >>
> >> allow $1 init_t:unix_dgram_socket sendto;
> >>
> >> ')
> >>
> >> diff --git a/policy/modules/system/init.te
> >> b/policy/modules/system/init.te
> >> index a12d151b..3e8eb2da 100644
> >> --- a/policy/modules/system/init.te
> >> +++ b/policy/modules/system/init.te
> >> @@ -272,7 +272,6 @@ ifdef(`init_systemd',`
> >>
> >>
> >>
> >> kernel_dyntrans_to(init_t)
> >> kernel_read_network_state(init_t)
> >>
> >> - kernel_dgram_send(init_t)
> >>
> >> kernel_stream_connect(init_t)
> >> kernel_getattr_proc(init_t)
> >> kernel_read_fs_sysctls(init_t)
> >>
> >> @@ -969,8 +968,6 @@ ifdef(`init_systemd',`
> >>
> >> allow initrc_t systemdunit:service reload;
> >> allow initrc_t init_script_file_type:service { stop start status
> >> reload
> >>
> >> };
> >>
> >
> >>
> >> - kernel_dgram_send(initrc_t)
> >> -
> >>
> >> # run systemd misc initializations
> >> # in the initrc_t domain, as would be
> >> # done in traditional sysvinit/upstart.
> >>
> >> diff --git a/policy/modules/system/logging.if
> >> b/policy/modules/system/logging.if
> >>
> > index 7b7644f7..1f696b7f 100644
> >>
> >> --- a/policy/modules/system/logging.if
> >> +++ b/policy/modules/system/logging.if
> >> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',`
> >>
> >> ifdef(`init_systemd',`
> >>
> >> # Allow systemd-journald to check whether the process died
> >> allow syslogd_t $1:process signull;
> >>
> >> +
> >> + kernel_dgram_send($1)
> >>
> >> ')
> >>
> >> ')
> >>
> >>
> >> diff --git a/policy/modules/system/logging.te
> >> b/policy/modules/system/logging.te
> >>
> > index 0c5be1cd..02f268ea 100644
> >>
> >> --- a/policy/modules/system/logging.te
> >> +++ b/policy/modules/system/logging.te
> >> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t)
> >>
> >>
> >> sysnet_dns_name_resolve(audisp_t)
> >>
> >>
> >> -ifdef(`init_systemd',`
> >> - kernel_dgram_send(audisp_t)
> >> -')
> >> -
> >>
> >> optional_policy(`
> >>
> >> dbus_system_bus_client(audisp_t)
> >>
> >> ')
> >>
> >> diff --git a/policy/modules/system/systemd.te
> >> b/policy/modules/system/systemd.te
> >>
> > index f6455f6f..cf9241c0 100644
> >>
> >> --- a/policy/modules/system/systemd.te
> >> +++ b/policy/modules/system/systemd.te
> >> @@ -266,7 +266,6 @@
> >> systemd_log_parse_environment(systemd_gpt_generator_t)
> >>
> >> allow systemd_cgroups_t self:capability net_admin;
> >>
> >> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> >>
> >> -kernel_dgram_send(systemd_cgroups_t)
> >>
> >> # for /proc/cmdline
> >> kernel_read_system_state(systemd_cgroups_t)
> >>
> >>
> >> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t,
> >> systemd_networkd_var_run_t, systemd_netw
> >> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
> >> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t,
> >> systemd_networkd_var_run_t, systemd_networkd_var_run_t)
> >> -kernel_dgram_send(systemd_networkd_t)
> >>
> >> kernel_read_system_state(systemd_networkd_t)
> >> kernel_read_kernel_sysctls(systemd_networkd_t)
> >> kernel_read_network_state(systemd_networkd_t)
> >>
> >> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t)
> >>
> >> init_dgram_send(systemd_networkd_t)
> >> init_read_state(systemd_networkd_t)
> >>
> >>
> >> -logging_send_syslog_msg(systemd_networkd_t)
> >> -
> >>
> >> miscfiles_read_localization(systemd_networkd_t)
> >>
> >> sysnet_read_config(systemd_networkd_t)
> >>
> >> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t,
> >> systemd_resolved_var_run_t, dir)
> >>
> >
> >
> >> dev_read_sysfs(systemd_resolved_t)
> >>
> >>
> >> -kernel_dgram_send(systemd_resolved_t)
> >>
> >> kernel_read_crypto_sysctls(systemd_resolved_t)
> >> kernel_read_kernel_sysctls(systemd_resolved_t)
> >> kernel_read_net_sysctls(systemd_resolved_t)
> >>
> >> diff --git a/policy/modules/system/udev.te
> >> b/policy/modules/system/udev.te
> >> index ff564280..f00de30d 100644
> >> --- a/policy/modules/system/udev.te
> >> +++ b/policy/modules/system/udev.te
> >> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t)
> >>
> >> kernel_read_kernel_sysctls(udev_t)
> >> kernel_rw_hotplug_sysctls(udev_t)
> >> kernel_rw_unix_dgram_sockets(udev_t)
> >>
> >> -kernel_dgram_send(udev_t)
> >>
> >> kernel_signal(udev_t)
> >> kernel_search_debugfs(udev_t)
> >> kernel_search_key(udev_t)
> >>
> >> --
> >> 2.20.1
> >>
> >>
> >>
> >
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 4/9/19 9:39 PM, Russell Coker wrote:
> Why is a socket that everything sends to labeled as kernel_t?
>
I see, it is happening during the system booting. /dev/log and
/run/systemd/journal/socket are both labeled kernel_t early in the boot
process. At some point they are either relabeled or recreated with
devlog_t. But without this rule the system won't boot (I have tried).
Here are a small sample of the denials I get without these rules.
type=AVC msg=audit(1554904080.089:5018): avc: denied { sendto } for
pid=7559 comm="auditd" path="/dev/log"
scontext=system_u:system_r:auditd_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1554904080.155:5138): avc: denied { sendto } for
pid=7590 comm="systemd-cgroups" path="/run/systemd/journal/socket"
scontext=system_u:system_r:systemd_cgroups_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1554904080.158:5142): avc: denied { sendto } for
pid=7591 comm="systemd-update-" path="/run/systemd/journal/socket"
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1554904467.831:181): avc: denied { sendto } for
pid=7510 comm="chronyd" path="/dev/log"
scontext=system_u:system_r:chronyd_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1554904467.842:190): avc: denied { sendto } for
pid=7498 comm="dbus-daemon" path="/dev/log"
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1554904467.850:194): avc: denied { sendto } for
pid=7521 comm="systemd-user-se" path="/run/systemd/journal/socket"
scontext=system_u:system_r:systemd_sessions_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
> On Wednesday, 10 April 2019 11:07:29 AM AEST Sugar, David wrote:
>> On 4/9/19 9:00 PM, Russell Coker wrote:
>>
>>> Why does the kernel need such access?
>>
>>
>> I'm not sure I understand your question. Are you asking why the
>> kernel_dgram_send() access is needed by syslog? This is because many
>> domains send messages to the journal.
>>
>> I have been adding this interface as needed throughout the policy as I'm
>> seeing issues. It was suggested to move this interface use into
>> logging_send_syslog_msg as that is the same concept and most domains log
>> already.
>>
>> This patch is mostly removing uses of kernel_dgram_send and just adding
>> it one place.
>>
>>
>>>
>>> On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote:
>>>
>>>> This patch is based on comments from previous a patch to
>>>> remove the many uses of kernel_dgram_send() and incorporate
>>>> it into logging_send_syslog_msg().
>>>>
>>>>
>>>>
>>>> Signed-off-by: Dave Sugar <[email protected]>
>>>> ---
>>>>
>>>> policy/modules/admin/aide.te | 1 -
>>>> policy/modules/admin/usermanage.te | 5 -----
>>>> policy/modules/services/dbus.te | 3 ---
>>>> policy/modules/system/authlogin.te | 5 -----
>>>> policy/modules/system/init.if | 2 --
>>>> policy/modules/system/init.te | 3 ---
>>>> policy/modules/system/logging.if | 2 ++
>>>> policy/modules/system/logging.te | 4 ----
>>>> policy/modules/system/systemd.te | 5 -----
>>>> policy/modules/system/udev.te | 1 -
>>>> 10 files changed, 2 insertions(+), 29 deletions(-)
>>>>
>>>>
>>>>
>>>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>>>> index 30deba09..f5e64a86 100644
>>>> --- a/policy/modules/admin/aide.te
>>>> +++ b/policy/modules/admin/aide.te
>>>> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>>>>
>>>> files_read_all_files(aide_t)
>>>> files_read_all_symlinks(aide_t)
>>>>
>>>>
>>>> -kernel_dgram_send(aide_t)
>>>>
>>>> kernel_read_crypto_sysctls(aide_t)
>>>>
>>>> logging_send_audit_msgs(aide_t)
>>>>
>>>> diff --git a/policy/modules/admin/usermanage.te
>>>> b/policy/modules/admin/usermanage.te
>>>>
>>> index 5753741b..4a10bf84 100644
>>>>
>>>> --- a/policy/modules/admin/usermanage.te
>>>> +++ b/policy/modules/admin/usermanage.te
>>>> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t)
>>>>
>>>> # on user home dir
>>>> userdom_dontaudit_search_user_home_content(passwd_t)
>>>>
>>>>
>>>> -ifdef(`init_systemd',`
>>>> - # for journald /dev/log
>>>> - kernel_dgram_send(passwd_t)
>>>> -')
>>>> -
>>>>
>>>> optional_policy(`
>>>>
>>>> nscd_run(passwd_t, passwd_roles)
>>>>
>>>> ')
>>>>
>>>> diff --git a/policy/modules/services/dbus.te
>>>> b/policy/modules/services/dbus.te
>>>>
>>> index 9c085876..c05370dd 100644
>>>>
>>>> --- a/policy/modules/services/dbus.te
>>>> +++ b/policy/modules/services/dbus.te
>>>> @@ -162,9 +162,6 @@ ifdef(`init_systemd', `
>>>>
>>>> # for /run/systemd/dynamic-uid/
>>>> init_list_pids(system_dbusd_t)
>>>> init_read_runtime_symlinks(system_dbusd_t)
>>>>
>>>> -
>>>> - # for journald /dev/log
>>>> - kernel_dgram_send(system_dbusd_t)
>>>>
>>>> ')
>>>>
>>>> optional_policy(`
>>>>
>>>> diff --git a/policy/modules/system/authlogin.te
>>>> b/policy/modules/system/authlogin.te
>>>>
>>> index 28f74bac..2cf86952 100644
>>>>
>>>> --- a/policy/modules/system/authlogin.te
>>>> +++ b/policy/modules/system/authlogin.te
>>>> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',`
>>>>
>>>> ')
>>>>
>>>> ')
>>>>
>>>>
>>>> -ifdef(`init_systemd',`
>>>> - # for journald /dev/log
>>>> - kernel_dgram_send(chkpwd_t)
>>>> -')
>>>> -
>>>>
>>>> optional_policy(`
>>>>
>>>> # apache leaks file descriptors
>>>> apache_dontaudit_rw_tcp_sockets(chkpwd_t)
>>>>
>>>> diff --git a/policy/modules/system/init.if
>>>> b/policy/modules/system/init.if
>>>> index fef2c88e..00bd4991 100644
>>>> --- a/policy/modules/system/init.if
>>>> +++ b/policy/modules/system/init.if
>>>> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',`
>>>>
>>>>
>>>>
>>>> ifdef(`init_systemd',`
>>>>
>>>> init_domain($1, $2)
>>>>
>>>> - # this may be because of late labelling
>>>> - kernel_dgram_send($1)
>>>>
>>>>
>>>>
>>>> allow $1 init_t:unix_dgram_socket sendto;
>>>>
>>>> ')
>>>>
>>>> diff --git a/policy/modules/system/init.te
>>>> b/policy/modules/system/init.te
>>>> index a12d151b..3e8eb2da 100644
>>>> --- a/policy/modules/system/init.te
>>>> +++ b/policy/modules/system/init.te
>>>> @@ -272,7 +272,6 @@ ifdef(`init_systemd',`
>>>>
>>>>
>>>>
>>>> kernel_dyntrans_to(init_t)
>>>> kernel_read_network_state(init_t)
>>>>
>>>> - kernel_dgram_send(init_t)
>>>>
>>>> kernel_stream_connect(init_t)
>>>> kernel_getattr_proc(init_t)
>>>> kernel_read_fs_sysctls(init_t)
>>>>
>>>> @@ -969,8 +968,6 @@ ifdef(`init_systemd',`
>>>>
>>>> allow initrc_t systemdunit:service reload;
>>>> allow initrc_t init_script_file_type:service { stop start status
>>>> reload
>>>>
>>>> };
>>>>
>>>
>>>>
>>>> - kernel_dgram_send(initrc_t)
>>>> -
>>>>
>>>> # run systemd misc initializations
>>>> # in the initrc_t domain, as would be
>>>> # done in traditional sysvinit/upstart.
>>>>
>>>> diff --git a/policy/modules/system/logging.if
>>>> b/policy/modules/system/logging.if
>>>>
>>> index 7b7644f7..1f696b7f 100644
>>>>
>>>> --- a/policy/modules/system/logging.if
>>>> +++ b/policy/modules/system/logging.if
>>>> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',`
>>>>
>>>> ifdef(`init_systemd',`
>>>>
>>>> # Allow systemd-journald to check whether the process died
>>>> allow syslogd_t $1:process signull;
>>>>
>>>> +
>>>> + kernel_dgram_send($1)
>>>>
>>>> ')
>>>>
>>>> ')
>>>>
>>>>
>>>> diff --git a/policy/modules/system/logging.te
>>>> b/policy/modules/system/logging.te
>>>>
>>> index 0c5be1cd..02f268ea 100644
>>>>
>>>> --- a/policy/modules/system/logging.te
>>>> +++ b/policy/modules/system/logging.te
>>>> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t)
>>>>
>>>>
>>>> sysnet_dns_name_resolve(audisp_t)
>>>>
>>>>
>>>> -ifdef(`init_systemd',`
>>>> - kernel_dgram_send(audisp_t)
>>>> -')
>>>> -
>>>>
>>>> optional_policy(`
>>>>
>>>> dbus_system_bus_client(audisp_t)
>>>>
>>>> ')
>>>>
>>>> diff --git a/policy/modules/system/systemd.te
>>>> b/policy/modules/system/systemd.te
>>>>
>>> index f6455f6f..cf9241c0 100644
>>>>
>>>> --- a/policy/modules/system/systemd.te
>>>> +++ b/policy/modules/system/systemd.te
>>>> @@ -266,7 +266,6 @@
>>>> systemd_log_parse_environment(systemd_gpt_generator_t)
>>>>
>>>> allow systemd_cgroups_t self:capability net_admin;
>>>>
>>>> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
>>>>
>>>> -kernel_dgram_send(systemd_cgroups_t)
>>>>
>>>> # for /proc/cmdline
>>>> kernel_read_system_state(systemd_cgroups_t)
>>>>
>>>>
>>>> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t,
>>>> systemd_networkd_var_run_t, systemd_netw
>>>> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
>>>> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t,
>>>> systemd_networkd_var_run_t, systemd_networkd_var_run_t)
>>>> -kernel_dgram_send(systemd_networkd_t)
>>>>
>>>> kernel_read_system_state(systemd_networkd_t)
>>>> kernel_read_kernel_sysctls(systemd_networkd_t)
>>>> kernel_read_network_state(systemd_networkd_t)
>>>>
>>>> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t)
>>>>
>>>> init_dgram_send(systemd_networkd_t)
>>>> init_read_state(systemd_networkd_t)
>>>>
>>>>
>>>> -logging_send_syslog_msg(systemd_networkd_t)
>>>> -
>>>>
>>>> miscfiles_read_localization(systemd_networkd_t)
>>>>
>>>> sysnet_read_config(systemd_networkd_t)
>>>>
>>>> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t,
>>>> systemd_resolved_var_run_t, dir)
>>>>
>>>
>>>
>>>> dev_read_sysfs(systemd_resolved_t)
>>>>
>>>>
>>>> -kernel_dgram_send(systemd_resolved_t)
>>>>
>>>> kernel_read_crypto_sysctls(systemd_resolved_t)
>>>> kernel_read_kernel_sysctls(systemd_resolved_t)
>>>> kernel_read_net_sysctls(systemd_resolved_t)
>>>>
>>>> diff --git a/policy/modules/system/udev.te
>>>> b/policy/modules/system/udev.te
>>>> index ff564280..f00de30d 100644
>>>> --- a/policy/modules/system/udev.te
>>>> +++ b/policy/modules/system/udev.te
>>>> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t)
>>>>
>>>> kernel_read_kernel_sysctls(udev_t)
>>>> kernel_rw_hotplug_sysctls(udev_t)
>>>> kernel_rw_unix_dgram_sockets(udev_t)
>>>>
>>>> -kernel_dgram_send(udev_t)
>>>>
>>>> kernel_signal(udev_t)
>>>> kernel_search_debugfs(udev_t)
>>>> kernel_search_key(udev_t)
>>>>
>>>> --
>>>> 2.20.1
>>>>
>>>>
>>>>
>>>
>
>
On 4/9/19 9:39 PM, Russell Coker wrote:
> Why is a socket that everything sends to labeled as kernel_t?
>
> On Wednesday, 10 April 2019 11:07:29 AM AEST Sugar, David wrote:
>> On 4/9/19 9:00 PM, Russell Coker wrote:
>>
>>> Why does the kernel need such access?
>>
>>
>> I'm not sure I understand your question. Are you asking why the
>> kernel_dgram_send() access is needed by syslog? This is because many
>> domains send messages to the journal.
>>
>> I have been adding this interface as needed throughout the policy as I'm
>> seeing issues. It was suggested to move this interface use into
>> logging_send_syslog_msg as that is the same concept and most domains log
>> already.
>>
>> This patch is mostly removing uses of kernel_dgram_send and just adding
>> it one place.
>>
>>
>>>
>>> On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote:
>>>
>>>> This patch is based on comments from previous a patch to
>>>> remove the many uses of kernel_dgram_send() and incorporate
>>>> it into logging_send_syslog_msg().
Russell, you aren't seeing this type of access on Debian?
How about Gentoo? If this is Fedora/RHEL-specific, then it should be
reflected in the policy accordingly.
>>>> Signed-off-by: Dave Sugar <[email protected]>
>>>> ---
>>>>
>>>> policy/modules/admin/aide.te | 1 -
>>>> policy/modules/admin/usermanage.te | 5 -----
>>>> policy/modules/services/dbus.te | 3 ---
>>>> policy/modules/system/authlogin.te | 5 -----
>>>> policy/modules/system/init.if | 2 --
>>>> policy/modules/system/init.te | 3 ---
>>>> policy/modules/system/logging.if | 2 ++
>>>> policy/modules/system/logging.te | 4 ----
>>>> policy/modules/system/systemd.te | 5 -----
>>>> policy/modules/system/udev.te | 1 -
>>>> 10 files changed, 2 insertions(+), 29 deletions(-)
>>>>
>>>>
>>>>
>>>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>>>> index 30deba09..f5e64a86 100644
>>>> --- a/policy/modules/admin/aide.te
>>>> +++ b/policy/modules/admin/aide.te
>>>> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>>>>
>>>> files_read_all_files(aide_t)
>>>> files_read_all_symlinks(aide_t)
>>>>
>>>>
>>>> -kernel_dgram_send(aide_t)
>>>>
>>>> kernel_read_crypto_sysctls(aide_t)
>>>>
>>>> logging_send_audit_msgs(aide_t)
>>>>
>>>> diff --git a/policy/modules/admin/usermanage.te
>>>> b/policy/modules/admin/usermanage.te
>>>>
>>> index 5753741b..4a10bf84 100644
>>>>
>>>> --- a/policy/modules/admin/usermanage.te
>>>> +++ b/policy/modules/admin/usermanage.te
>>>> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t)
>>>>
>>>> # on user home dir
>>>> userdom_dontaudit_search_user_home_content(passwd_t)
>>>>
>>>>
>>>> -ifdef(`init_systemd',`
>>>> - # for journald /dev/log
>>>> - kernel_dgram_send(passwd_t)
>>>> -')
>>>> -
>>>>
>>>> optional_policy(`
>>>>
>>>> nscd_run(passwd_t, passwd_roles)
>>>>
>>>> ')
>>>>
>>>> diff --git a/policy/modules/services/dbus.te
>>>> b/policy/modules/services/dbus.te
>>>>
>>> index 9c085876..c05370dd 100644
>>>>
>>>> --- a/policy/modules/services/dbus.te
>>>> +++ b/policy/modules/services/dbus.te
>>>> @@ -162,9 +162,6 @@ ifdef(`init_systemd', `
>>>>
>>>> # for /run/systemd/dynamic-uid/
>>>> init_list_pids(system_dbusd_t)
>>>> init_read_runtime_symlinks(system_dbusd_t)
>>>>
>>>> -
>>>> - # for journald /dev/log
>>>> - kernel_dgram_send(system_dbusd_t)
>>>>
>>>> ')
>>>>
>>>> optional_policy(`
>>>>
>>>> diff --git a/policy/modules/system/authlogin.te
>>>> b/policy/modules/system/authlogin.te
>>>>
>>> index 28f74bac..2cf86952 100644
>>>>
>>>> --- a/policy/modules/system/authlogin.te
>>>> +++ b/policy/modules/system/authlogin.te
>>>> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',`
>>>>
>>>> ')
>>>>
>>>> ')
>>>>
>>>>
>>>> -ifdef(`init_systemd',`
>>>> - # for journald /dev/log
>>>> - kernel_dgram_send(chkpwd_t)
>>>> -')
>>>> -
>>>>
>>>> optional_policy(`
>>>>
>>>> # apache leaks file descriptors
>>>> apache_dontaudit_rw_tcp_sockets(chkpwd_t)
>>>>
>>>> diff --git a/policy/modules/system/init.if
>>>> b/policy/modules/system/init.if
>>>> index fef2c88e..00bd4991 100644
>>>> --- a/policy/modules/system/init.if
>>>> +++ b/policy/modules/system/init.if
>>>> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',`
>>>>
>>>>
>>>>
>>>> ifdef(`init_systemd',`
>>>>
>>>> init_domain($1, $2)
>>>>
>>>> - # this may be because of late labelling
>>>> - kernel_dgram_send($1)
>>>>
>>>>
>>>>
>>>> allow $1 init_t:unix_dgram_socket sendto;
>>>>
>>>> ')
>>>>
>>>> diff --git a/policy/modules/system/init.te
>>>> b/policy/modules/system/init.te
>>>> index a12d151b..3e8eb2da 100644
>>>> --- a/policy/modules/system/init.te
>>>> +++ b/policy/modules/system/init.te
>>>> @@ -272,7 +272,6 @@ ifdef(`init_systemd',`
>>>>
>>>>
>>>>
>>>> kernel_dyntrans_to(init_t)
>>>> kernel_read_network_state(init_t)
>>>>
>>>> - kernel_dgram_send(init_t)
>>>>
>>>> kernel_stream_connect(init_t)
>>>> kernel_getattr_proc(init_t)
>>>> kernel_read_fs_sysctls(init_t)
>>>>
>>>> @@ -969,8 +968,6 @@ ifdef(`init_systemd',`
>>>>
>>>> allow initrc_t systemdunit:service reload;
>>>> allow initrc_t init_script_file_type:service { stop start status
>>>> reload
>>>>
>>>> };
>>>>
>>>
>>>>
>>>> - kernel_dgram_send(initrc_t)
>>>> -
>>>>
>>>> # run systemd misc initializations
>>>> # in the initrc_t domain, as would be
>>>> # done in traditional sysvinit/upstart.
>>>>
>>>> diff --git a/policy/modules/system/logging.if
>>>> b/policy/modules/system/logging.if
>>>>
>>> index 7b7644f7..1f696b7f 100644
>>>>
>>>> --- a/policy/modules/system/logging.if
>>>> +++ b/policy/modules/system/logging.if
>>>> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',`
>>>>
>>>> ifdef(`init_systemd',`
>>>>
>>>> # Allow systemd-journald to check whether the process died
>>>> allow syslogd_t $1:process signull;
>>>>
>>>> +
>>>> + kernel_dgram_send($1)
>>>>
>>>> ')
>>>>
>>>> ')
>>>>
>>>>
>>>> diff --git a/policy/modules/system/logging.te
>>>> b/policy/modules/system/logging.te
>>>>
>>> index 0c5be1cd..02f268ea 100644
>>>>
>>>> --- a/policy/modules/system/logging.te
>>>> +++ b/policy/modules/system/logging.te
>>>> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t)
>>>>
>>>>
>>>> sysnet_dns_name_resolve(audisp_t)
>>>>
>>>>
>>>> -ifdef(`init_systemd',`
>>>> - kernel_dgram_send(audisp_t)
>>>> -')
>>>> -
>>>>
>>>> optional_policy(`
>>>>
>>>> dbus_system_bus_client(audisp_t)
>>>>
>>>> ')
>>>>
>>>> diff --git a/policy/modules/system/systemd.te
>>>> b/policy/modules/system/systemd.te
>>>>
>>> index f6455f6f..cf9241c0 100644
>>>>
>>>> --- a/policy/modules/system/systemd.te
>>>> +++ b/policy/modules/system/systemd.te
>>>> @@ -266,7 +266,6 @@
>>>> systemd_log_parse_environment(systemd_gpt_generator_t)
>>>>
>>>> allow systemd_cgroups_t self:capability net_admin;
>>>>
>>>> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
>>>>
>>>> -kernel_dgram_send(systemd_cgroups_t)
>>>>
>>>> # for /proc/cmdline
>>>> kernel_read_system_state(systemd_cgroups_t)
>>>>
>>>>
>>>> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t,
>>>> systemd_networkd_var_run_t, systemd_netw
>>>> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
>>>> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t,
>>>> systemd_networkd_var_run_t, systemd_networkd_var_run_t)
>>>> -kernel_dgram_send(systemd_networkd_t)
>>>>
>>>> kernel_read_system_state(systemd_networkd_t)
>>>> kernel_read_kernel_sysctls(systemd_networkd_t)
>>>> kernel_read_network_state(systemd_networkd_t)
>>>>
>>>> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t)
>>>>
>>>> init_dgram_send(systemd_networkd_t)
>>>> init_read_state(systemd_networkd_t)
>>>>
>>>>
>>>> -logging_send_syslog_msg(systemd_networkd_t)
>>>> -
>>>>
>>>> miscfiles_read_localization(systemd_networkd_t)
>>>>
>>>> sysnet_read_config(systemd_networkd_t)
>>>>
>>>> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t,
>>>> systemd_resolved_var_run_t, dir)
>>>>
>>>
>>>
>>>> dev_read_sysfs(systemd_resolved_t)
>>>>
>>>>
>>>> -kernel_dgram_send(systemd_resolved_t)
>>>>
>>>> kernel_read_crypto_sysctls(systemd_resolved_t)
>>>> kernel_read_kernel_sysctls(systemd_resolved_t)
>>>> kernel_read_net_sysctls(systemd_resolved_t)
>>>>
>>>> diff --git a/policy/modules/system/udev.te
>>>> b/policy/modules/system/udev.te
>>>> index ff564280..f00de30d 100644
>>>> --- a/policy/modules/system/udev.te
>>>> +++ b/policy/modules/system/udev.te
>>>> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t)
>>>>
>>>> kernel_read_kernel_sysctls(udev_t)
>>>> kernel_rw_hotplug_sysctls(udev_t)
>>>> kernel_rw_unix_dgram_sockets(udev_t)
>>>>
>>>> -kernel_dgram_send(udev_t)
>>>>
>>>> kernel_signal(udev_t)
>>>> kernel_search_debugfs(udev_t)
>>>> kernel_search_key(udev_t)
>>>>
>>>> --
>>>> 2.20.1
>>>>
>>>>
>>>>
>>>
>
>
--
Chris PeBenito
On Friday, 12 April 2019 9:54:46 PM AEST Chris PeBenito wrote:
> On 4/9/19 9:39 PM, Russell Coker wrote:
> > Why is a socket that everything sends to labeled as kernel_t?
> >
>
> Russell, you aren't seeing this type of access on Debian?
ifdef(`init_systemd',`
init_domain($1, $2)
# this may be because of late labelling
kernel_dgram_send($1)
allow $1 init_t:unix_dgram_socket sendto;
')
The above is in the upstream policy in the init_daemon_domain() interface.
Not sure why.
I've put in an auditallow rule and so far haven't been able to reproduce it.
So we can probably remove that line.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 4/13/19 1:35 AM, Russell Coker wrote:
> On Friday, 12 April 2019 9:54:46 PM AEST Chris PeBenito wrote:
>> On 4/9/19 9:39 PM, Russell Coker wrote:
>>> Why is a socket that everything sends to labeled as kernel_t?
>>>
>>
>> Russell, you aren't seeing this type of access on Debian?
>
>
> ifdef(`init_systemd',`
> init_domain($1, $2)
> # this may be because of late labelling
> kernel_dgram_send($1)
>
> allow $1 init_t:unix_dgram_socket sendto;
> ')
>
> The above is in the upstream policy in the init_daemon_domain() interface.
> Not sure why.
>
> I've put in an auditallow rule and so far haven't been able to reproduce it.
> So we can probably remove that line.
>
Upstream RHEL is setting up the attribute 'syslog_client_type', has
'typeattribute $1 syslog_client_type' in logging_send_syslog_msg ()
and then
ifdef(`hide_broken_symptoms',`
kernel_dgram_send(syslog_client_type)
')
in logging.te
When not allowing this access I get a RHEL system that will not boot.
I'm happy to put this in an 'ifdef distro_redhat'. Please let me know
the preference on how to proceed.
On Sunday, 14 April 2019 1:36:07 AM AEST Sugar, David wrote:
> >>> Why is a socket that everything sends to labeled as kernel_t?
> >>
> >> Russell, you aren't seeing this type of access on Debian?
> >
> >
> >
> >
> > ifdef(`init_systemd',`
> >
> > init_domain($1, $2)
> > # this may be because of late labelling
> > kernel_dgram_send($1)
> >
> >
> >
> > allow $1 init_t:unix_dgram_socket sendto;
> >
> > ')
> >
> >
> > The above is in the upstream policy in the init_daemon_domain()
> > interface.
> > Not sure why.
> >
> > I've put in an auditallow rule and so far haven't been able to reproduce
> > it.
> > So we can probably remove that line.
> >
>
>
> Upstream RHEL is setting up the attribute 'syslog_client_type', has
> 'typeattribute $1 syslog_client_type' in logging_send_syslog_msg ()
>
> and then
> ifdef(`hide_broken_symptoms',`
> kernel_dgram_send(syslog_client_type)
> ')
> in logging.te
Well they are stating that it's a symptom of brokenness...
> When not allowing this access I get a RHEL system that will not boot.
> I'm happy to put this in an 'ifdef distro_redhat'. Please let me know
> the preference on how to proceed.
Yes ifdef distro_redhat seems like a good idea.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/