Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id ED820C43387 for ; Sun, 6 Jan 2019 19:14:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id BE92920859 for ; Sun, 6 Jan 2019 19:14:39 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="Mf2bfUdi" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726117AbfAFTOj (ORCPT ); Sun, 6 Jan 2019 14:14:39 -0500 Received: from mail-qt1-f196.google.com ([209.85.160.196]:45045 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726041AbfAFTOj (ORCPT ); Sun, 6 Jan 2019 14:14:39 -0500 Received: by mail-qt1-f196.google.com with SMTP id n32so45511941qte.11 for ; Sun, 06 Jan 2019 11:14:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=PbkxQ1rceCPQ2tj16kGkh6raSYZVgaCa+9c5Zo8jpuU=; b=Mf2bfUdiEoEAvh6I0bQUGbqke83fmYC0+yF3zTLhYOzbws+o/iOcOoTzQMtBPt0Luk gcd6SAyJF2gscDDb5JOlvZ5xfZJHv5PJChg+p/LQXTlVMTpoCuw07UhJg/ZgM/UwH/8M kLqI2SBFbEXyIo4/UvdkDU1/xNe6dwCwYesvk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=PbkxQ1rceCPQ2tj16kGkh6raSYZVgaCa+9c5Zo8jpuU=; b=FId5n5Vm1SojoONoH09CgwuTtfupBwCqT8WpXrZbBVMxfnM0ksFi627bfUsE8oNRcV DbGdw8G84QpUZSk2GDOYcQAWoABb0lEk9oapTOTHvRv+pOuM2I7zAsECIjD03e3CIOgi VA2dIX7tNmIj90iUQBK6XSyWF1hkPQt9nRZpUJww3d/3MKSn817u9OWmypj3EWLb7rrq ey1Bywdlgwey0L+5rKIwq2hKI8rs3xf0GNC6hLMSaBzwPPZZgqiu4iGOcr3k5czlKCwc yCaDOw6mUNd966rxCScvLTUgNca6X/6wkaSkP9T1KPdTdI0ENGzcOSLX8TNdFiOPcEXY xAfA== X-Gm-Message-State: AJcUuker+vR8t3EWynWXJRUeMhfBN+b7HhIi0y/nvGN28JEgs19sHvlN OABJgs2gE+jd8OokXoncx6V7cg== X-Google-Smtp-Source: AFSGD/XI90I85b9yY0jZ1ysK7aEWRm0x/iB4foV7NyS4BVAWfR1ozNzAR1PS0F/Nlu1roLSBYpANQw== X-Received: by 2002:ac8:4654:: with SMTP id f20mr57989227qto.274.1546802078093; Sun, 06 Jan 2019 11:14:38 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id a42sm4461812qka.96.2019.01.06.11.14.37 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Jan 2019 11:14:37 -0800 (PST) Subject: Re: [PATCH] systemd related interfaces To: Dominick Grift , Nicolas Iooss Cc: selinux-refpolicy@vger.kernel.org, Russell Coker References: <20190104075118.GA11721@aaa.coker.com.au> <9821c420-35c9-9901-d666-7e23242f9a6e@ieee.org> <87pnta93ml.fsf@gmail.com> From: Chris PeBenito Message-ID: <78e0708d-d6ae-454a-418d-3276a593b996@ieee.org> Date: Sun, 6 Jan 2019 13:39:33 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <87pnta93ml.fsf@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/5/19 4:49 PM, Dominick Grift wrote: > Nicolas Iooss writes: > >> On Sat, Jan 5, 2019 at 8:39 PM Chris PeBenito wrote: >>> >>> On 1/4/19 2:51 AM, Russell Coker wrote: >>>> This patch has interface changes related to systemd support as well as policy >>>> that uses the new interfaces. >>>> [...] >>>> Index: refpolicy-2.20180701/policy/modules/system/logging.te >>>> =================================================================== >>>> --- refpolicy-2.20180701.orig/policy/modules/system/logging.te >>>> +++ refpolicy-2.20180701/policy/modules/system/logging.te >>>> @@ -541,15 +541,19 @@ ifdef(`init_systemd',` >>>> dev_read_urand(syslogd_t) >>>> dev_write_kmsg(syslogd_t) >>>> >>>> + domain_getattr_all_domains(syslogd_t) >>>> domain_read_all_domains_state(syslogd_t) >>>> >>>> init_create_pid_dirs(syslogd_t) >>>> init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") >>>> + init_getattr(syslogd_t) >>>> init_rename_pid_files(syslogd_t) >>>> init_delete_pid_files(syslogd_t) >>>> init_dgram_send(syslogd_t) >>>> init_read_pid_pipes(syslogd_t) >>>> init_read_state(syslogd_t) >>>> + # for /run/systemd/units/invocation:* links >>>> + init_read_unit_links(syslogd_t) >>>> >>>> systemd_manage_journal_files(syslogd_t) >>>> >> >> This change has not been merged and I see the relevant AVC on an Arch >> Linux virtual machine (using systemd 239.370): >> >> type=AVC msg=audit(1546723651.696:2091): avc: denied { read } for >> pid=240 comm="systemd-journal" name="invocation:user@1000.service" >> dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t >> tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0 >> type=AVC msg=audit(1546723651.799:2092): avc: denied { read } for >> pid=240 comm="systemd-journal" name="invocation:dbus.service" >> dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t >> tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0 > > This should be ok to allow, afaik only journald reads these > symlinks. > >> >> What prevented init_read_unit_links(syslogd_t) from being added? I missed putting in my reason in the previous email. Your denial is for init_var_run_t:lnk_file access and the change was for systemd_unit_t:lnk_file. What you're seeing makes more sense to me. As far as I can tell, there should be no systemd_unit_t symlinks, and I'd prefer to keep it that way, if possible. -- Chris PeBenito