Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,MENTIONS_GIT_HOSTING,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E471EC43387 for ; Sun, 6 Jan 2019 22:11:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8DD132070C for ; Sun, 6 Jan 2019 22:11:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726106AbfAFWLL (ORCPT ); Sun, 6 Jan 2019 17:11:11 -0500 Received: from mx1.polytechnique.org ([129.104.30.34]:59625 "EHLO mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726105AbfAFWLK (ORCPT ); Sun, 6 Jan 2019 17:11:10 -0500 Received: from mail-oi1-f171.google.com (mail-oi1-f171.google.com [209.85.167.171]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id 55EEC560690 for ; Sun, 6 Jan 2019 23:11:08 +0100 (CET) Received: by mail-oi1-f171.google.com with SMTP id w13so34426482oiw.9 for ; Sun, 06 Jan 2019 14:11:08 -0800 (PST) X-Gm-Message-State: AA+aEWYJFdKL3BKK/hOXW9x3H6yd0rBXe1F/1D6A00LWHOGAHRHpUzjO y860OUa3DmvICaD2Dz4cbUnc8mgG1jkUU7WBFXA= X-Google-Smtp-Source: AFSGD/WyZIRPDSK9c75hJ5QhXAeoeeoYz4LbDOztGO5Gwe8bpTs8y4nklZBekL4m7VKrn6aeX9CIfe1LXhuAuE2Yf3c= X-Received: by 2002:aca:a86:: with SMTP id k6mr41022851oiy.334.1546812667276; Sun, 06 Jan 2019 14:11:07 -0800 (PST) MIME-Version: 1.0 References: <20190104075118.GA11721@aaa.coker.com.au> <9821c420-35c9-9901-d666-7e23242f9a6e@ieee.org> <87pnta93ml.fsf@gmail.com> <78e0708d-d6ae-454a-418d-3276a593b996@ieee.org> In-Reply-To: <78e0708d-d6ae-454a-418d-3276a593b996@ieee.org> From: Nicolas Iooss Date: Sun, 6 Jan 2019 23:10:55 +0100 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [PATCH] systemd related interfaces To: Chris PeBenito Cc: Dominick Grift , selinux-refpolicy@vger.kernel.org, Russell Coker Content-Type: text/plain; charset="UTF-8" X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Sun Jan 6 23:11:09 2019 +0100 (CET)) X-Org-Mail: nicolas.iooss.2010@polytechnique.org Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Sun, Jan 6, 2019 at 8:14 PM Chris PeBenito wrote: > > On 1/5/19 4:49 PM, Dominick Grift wrote: > > Nicolas Iooss writes: > > > >> On Sat, Jan 5, 2019 at 8:39 PM Chris PeBenito wrote: > >>> > >>> On 1/4/19 2:51 AM, Russell Coker wrote: > >>>> This patch has interface changes related to systemd support as well as policy > >>>> that uses the new interfaces. > >>>> [...] > >>>> Index: refpolicy-2.20180701/policy/modules/system/logging.te > >>>> =================================================================== > >>>> --- refpolicy-2.20180701.orig/policy/modules/system/logging.te > >>>> +++ refpolicy-2.20180701/policy/modules/system/logging.te > >>>> @@ -541,15 +541,19 @@ ifdef(`init_systemd',` > >>>> dev_read_urand(syslogd_t) > >>>> dev_write_kmsg(syslogd_t) > >>>> > >>>> + domain_getattr_all_domains(syslogd_t) > >>>> domain_read_all_domains_state(syslogd_t) > >>>> > >>>> init_create_pid_dirs(syslogd_t) > >>>> init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") > >>>> + init_getattr(syslogd_t) > >>>> init_rename_pid_files(syslogd_t) > >>>> init_delete_pid_files(syslogd_t) > >>>> init_dgram_send(syslogd_t) > >>>> init_read_pid_pipes(syslogd_t) > >>>> init_read_state(syslogd_t) > >>>> + # for /run/systemd/units/invocation:* links > >>>> + init_read_unit_links(syslogd_t) > >>>> > >>>> systemd_manage_journal_files(syslogd_t) > >>>> > >> > >> This change has not been merged and I see the relevant AVC on an Arch > >> Linux virtual machine (using systemd 239.370): > >> > >> type=AVC msg=audit(1546723651.696:2091): avc: denied { read } for > >> pid=240 comm="systemd-journal" name="invocation:user@1000.service" > >> dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t > >> tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0 > >> type=AVC msg=audit(1546723651.799:2092): avc: denied { read } for > >> pid=240 comm="systemd-journal" name="invocation:dbus.service" > >> dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t > >> tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0 > > > > This should be ok to allow, afaik only journald reads these > > symlinks. > > > >> > >> What prevented init_read_unit_links(syslogd_t) from being added? > > I missed putting in my reason in the previous email. Your denial is for > init_var_run_t:lnk_file access and the change was for > systemd_unit_t:lnk_file. What you're seeing makes more sense to me. As > far as I can tell, there should be no systemd_unit_t symlinks, and I'd > prefer to keep it that way, if possible. The search_dirs_pattern($1, init_var_run_t, systemd_unit_t) was indeed not useful here. I have created a Pull Request fixing this on https://github.com/SELinuxProject/refpolicy/pull/17 . By the way, I do pull requests because I find them simpler to handle from my side (because I have too many emails in my inbox), but if you prefer that I post the patches on the list, I can do that instead. It would be useful for the project to have a CONTRIBUTING file describing the preferred way of sending patches or reporting issues, or to have such information in the README file. Thanks, Nicolas