Return-Path: <SRS0=0v2g=PN=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id D082AC43387
	for <selinux-refpolicy@archiver.kernel.org>; Sat,  5 Jan 2019 21:40:12 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 9F11B222DF
	for <selinux-refpolicy@archiver.kernel.org>; Sat,  5 Jan 2019 21:40:12 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726332AbfAEVkM (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 5 Jan 2019 16:40:12 -0500
Received: from mx1.polytechnique.org ([129.104.30.34]:44260 "EHLO
        mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726318AbfAEVkM (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 5 Jan 2019 16:40:12 -0500
Received: from mail-ot1-f44.google.com (mail-ot1-f44.google.com [209.85.210.44])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by ssl.polytechnique.org (Postfix) with ESMTPSA id 3176E5605E3
        for <selinux-refpolicy@vger.kernel.org>; Sat,  5 Jan 2019 22:40:08 +0100 (CET)
Received: by mail-ot1-f44.google.com with SMTP id s5so34917642oth.7
        for <selinux-refpolicy@vger.kernel.org>; Sat, 05 Jan 2019 13:40:08 -0800 (PST)
X-Gm-Message-State: AJcUukfPiQp7b8+fA5KB3mh2uP9Ck/3oo1pOiUS5zxcH5sTN/eaVQi/C
        Tuza94sZdLCacpX1Hpy+HQq5m07nWAHUGTVt8H0=
X-Google-Smtp-Source: ALg8bN6YJBx/GGJHVyKU3i31n6oooX7UlFoQbP7gN8ExiW32J105bQHzm8B7V/bS94AJT8IOFhkrYuFPdSZMFjRsJCQ=
X-Received: by 2002:a9d:65c8:: with SMTP id z8mr6459999oth.338.1546724407275;
 Sat, 05 Jan 2019 13:40:07 -0800 (PST)
MIME-Version: 1.0
References: <20190104075118.GA11721@aaa.coker.com.au> <9821c420-35c9-9901-d666-7e23242f9a6e@ieee.org>
In-Reply-To: <9821c420-35c9-9901-d666-7e23242f9a6e@ieee.org>
From:   Nicolas Iooss <nicolas.iooss@m4x.org>
Date:   Sat, 5 Jan 2019 22:39:55 +0100
X-Gmail-Original-Message-ID: <CAJfZ7==bQu=F_rUcRcJQPOx6KR1RG5D0eVmnW25TuJDQpELDYA@mail.gmail.com>
Message-ID: <CAJfZ7==bQu=F_rUcRcJQPOx6KR1RG5D0eVmnW25TuJDQpELDYA@mail.gmail.com>
Subject: Re: [PATCH] systemd related interfaces
To:     Chris PeBenito <pebenito@ieee.org>,
        selinux-refpolicy@vger.kernel.org
Cc:     Russell Coker <russell@coker.com.au>
Content-Type: text/plain; charset="UTF-8"
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sat Jan  5 22:40:08 2019 +0100 (CET))
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On Sat, Jan 5, 2019 at 8:39 PM Chris PeBenito <pebenito@ieee.org> wrote:
>
> On 1/4/19 2:51 AM, Russell Coker wrote:
> > This patch has interface changes related to systemd support as well as policy
> > that uses the new interfaces.
> > [...]
> > Index: refpolicy-2.20180701/policy/modules/system/logging.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/system/logging.te
> > +++ refpolicy-2.20180701/policy/modules/system/logging.te
> > @@ -541,15 +541,19 @@ ifdef(`init_systemd',`
> >       dev_read_urand(syslogd_t)
> >       dev_write_kmsg(syslogd_t)
> >
> > +     domain_getattr_all_domains(syslogd_t)
> >       domain_read_all_domains_state(syslogd_t)
> >
> >       init_create_pid_dirs(syslogd_t)
> >       init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
> > +     init_getattr(syslogd_t)
> >       init_rename_pid_files(syslogd_t)
> >       init_delete_pid_files(syslogd_t)
> >       init_dgram_send(syslogd_t)
> >       init_read_pid_pipes(syslogd_t)
> >       init_read_state(syslogd_t)
> > +     # for /run/systemd/units/invocation:* links
> > +     init_read_unit_links(syslogd_t)
> >
> >       systemd_manage_journal_files(syslogd_t)
> >

This change has not been merged and I see the relevant AVC on an Arch
Linux virtual machine (using systemd 239.370):

type=AVC msg=audit(1546723651.696:2091): avc:  denied  { read } for
pid=240 comm="systemd-journal" name="invocation:user@1000.service"
dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
type=AVC msg=audit(1546723651.799:2092): avc:  denied  { read } for
pid=240 comm="systemd-journal" name="invocation:dbus.service"
dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0

What prevented init_read_unit_links(syslogd_t) from being added?

Nicolas