Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.0 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6995CC10F13 for ; Mon, 8 Apr 2019 13:33:48 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 28276214C6 for ; Mon, 8 Apr 2019 13:33:48 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="isS/gaIv" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726512AbfDHNds (ORCPT ); Mon, 8 Apr 2019 09:33:48 -0400 Received: from mail-eopbgr810133.outbound.protection.outlook.com ([40.107.81.133]:23346 "EHLO NAM01-BY2-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726415AbfDHNdr (ORCPT ); Mon, 8 Apr 2019 09:33:47 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=FdaOZxw/1kR3jQ74EQrXwYrtAX/HGks7han+Ws3MNt0=; b=isS/gaIveclb+S7vf0MpLhLMVXEcDiUZKcGu1Lo8ZhK4u655fBTO07hwXulawwWaEH92RCQl2jevFbXdt4U2JjJXMFqzHdR6n5Ul+Xl8V4djJFUUlfnl99MY1LSsSQGhRFDDDnHTDHdkP59t+EsaVRiMLIJijizyFdmn47m5tAA= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1459.namprd15.prod.outlook.com (10.172.150.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1771.19; Mon, 8 Apr 2019 13:33:42 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::fdb0:ce55:b42a:f4b9]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::fdb0:ce55:b42a:f4b9%5]) with mapi id 15.20.1771.016; Mon, 8 Apr 2019 13:33:42 +0000 From: "Sugar, David" To: Chris PeBenito , "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH] Resolve some denials related to sending journal messages Thread-Topic: [PATCH] Resolve some denials related to sending journal messages Thread-Index: AQHU6uIDVaxkQpME0U+r/Fn9yyk1ZqYxdQMAgADUkoA= Date: Mon, 8 Apr 2019 13:33:42 +0000 Message-ID: <5898f8be-d46d-1bbd-de56-d59316c1ee16@tresys.com> References: <20190404122900.8945-1-dsugar@tresys.com> <20190404122900.8945-2-dsugar@tresys.com> <48f4a705-36e6-aca7-15e4-1c100785aaf8@ieee.org> In-Reply-To: <48f4a705-36e6-aca7-15e4-1c100785aaf8@ieee.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.6.1 x-clientproxiedby: BN6PR03CA0024.namprd03.prod.outlook.com (2603:10b6:404:23::34) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: cb352a3d-ea9b-426e-8183-08d6bc26d0d3 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600139)(711020)(4605104)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7193020);SRVR:BN6PR15MB1459; x-ms-traffictypediagnostic: BN6PR15MB1459: x-microsoft-antispam-prvs: x-forefront-prvs: 0001227049 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(396003)(366004)(376002)(346002)(39830400003)(136003)(199004)(189003)(31686004)(186003)(71190400001)(110136005)(6246003)(53936002)(2616005)(11346002)(2501003)(6512007)(71200400001)(446003)(6436002)(65826007)(31696002)(26005)(476003)(102836004)(7736002)(8936002)(81156014)(81166006)(86362001)(6486002)(3846002)(5660300002)(97736004)(68736007)(6116002)(229853002)(305945005)(6506007)(53546011)(76176011)(8676002)(386003)(99286004)(106356001)(486006)(66066001)(105586002)(25786009)(36756003)(64126003)(58126008)(65956001)(52116002)(316002)(256004)(14444005)(14454004)(508600001)(2906002)(65806001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1459;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: mM4f9jFmn/v4H9aUK3Bm9yjAJTkFUD+q6nOWaIpN0J/01rBNYUP88GpYmNtPr9lYJX7OFoigqzXfY6nrT1J0ae7b4qI3vy8O/0cj/WD+7cqPl6GRqwukM8gy0SQAxTUAYVsei13GcaSAQT279qtIv+0NUYnZOVWJXwIq0DQCSBg8oC9dVrFdrnYoG1uEJydScapbjhTF7nxqFcC2SSuLa5fcnzmU/dj1ucAbh1DseQRDMkzMrrmmfbzAX36Dw1TTymj+bdrwPBKGrgJFMRoFup5oC4ak137RwbHKrAyjMGJ4FI6tyzLQp2ggRAxrV7/HFPylQ9e25RNruGDWkQHRO9ZZ9fK6AVlJ7Xz5wTy9xrXbDhAgzCf+xp6tc2vdZ3DEAP3wbH4NfRpgXvmU/huZ/BQ3Twtd2AOP4P69vHJ3JBI= Content-Type: text/plain; charset="Windows-1252" Content-ID: <6BC874710D7D524489D37BE1F6E46E0B@namprd15.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: cb352a3d-ea9b-426e-8183-08d6bc26d0d3 X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Apr 2019 13:33:42.4120 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1459 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/7/19 8:52 PM, Chris PeBenito wrote: > On 4/4/19 8:29 AM, Sugar, David wrote: >> type=3DAVC msg=3Daudit(1554324562.840:159): avc:=A0 denied=A0 { sendto }= for=A0=20 >> pid=3D7277 comm=3D"systemd-backlig" path=3D"/run/systemd/journal/socket"= =20 >> scontext=3Dsystem_u:system_r:systemd_backlight_t:s0=20 >> tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Dunix_dgram_socket=20 >> permissive=3D1 >> type=3DAVC msg=3Daudit(1554324271.863:245): avc:=A0 denied=A0 { sendto }= for=A0=20 >> pid=3D7421 comm=3D"systemd-user-se" path=3D"/run/systemd/journal/socket"= =20 >> scontext=3Dsystem_u:system_r:systemd_sessions_t:s0=20 >> tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Dunix_dgram_socket=20 >> permissive=3D0 >> type=3DAVC msg=3Daudit(1554324635.844:313): avc:=A0 denied=A0 { sendto }= for=A0=20 >> pid=3D7744 comm=3D"systemd-cryptse" path=3D"/run/systemd/journal/socket"= =20 >> scontext=3Dsystem_u:system_r:lvm_t:s0=20 >> tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Dunix_dgram_socket=20 >> permissive=3D1 > > I think we've reached the limit of the explicit kernel_dgram_send()=20 > and it's time to reevaluate putting this in logging_send_syslog_msg(). > That makes sense.=A0 I will submit a patch after I test a bit.=A0 But it=20 looks like everywhere (except the systemd module) that uses=20 kernel_dgram_send() already has logging_send_syslog_msg() so once=20 kernel_dgram_send() is added to logging_send_syslog_msg(),=20 kernel_dgram_send() can removed from those domains. The exceptions are: 1) In the systemd module there isn't much use of=20 logging_send_syslog_msg().=A0 For this case I will add=20 logging_send_syslog_msg() as required. 2) In the interface init_daemon_domain(), it uses kernel_dgram_send()=20 directly, there it probably doesn't need to use=20 logging_send_syslog_msg(). This may be able to go away as modules might=20 already use logging now, I will try removing and see what breaks. > >> Signed-off-by: Dave Sugar >> --- >> =A0 policy/modules/system/lvm.te=A0=A0=A0=A0 | 1 + >> =A0 policy/modules/system/systemd.te | 4 ++++ >> =A0 2 files changed, 5 insertions(+) >> >> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te >> index ec3b4a18..aea199d4 100644 >> --- a/policy/modules/system/lvm.te >> +++ b/policy/modules/system/lvm.te >> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t,=20 >> lvm_metadata_t, file) >> =A0 files_etc_filetrans(lvm_t, lvm_metadata_t, file) >> =A0 files_search_mnt(lvm_t) >> =A0 +kernel_dgram_send(lvm_t) >> =A0 kernel_request_load_module(lvm_t) >> =A0 kernel_get_sysvipc_info(lvm_t) >> =A0 kernel_read_system_state(lvm_t) >> diff --git a/policy/modules/system/systemd.te=20 >> b/policy/modules/system/systemd.te >> index f6455f6f..541117a9 100644 >> --- a/policy/modules/system/systemd.te >> +++ b/policy/modules/system/systemd.te >> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t) >> =A0 # for udev.conf >> =A0 files_read_etc_files(systemd_backlight_t) >> =A0 +kernel_dgram_send(systemd_backlight_t) >> + >> =A0 # for /run/udev/data/+backlight* >> =A0 udev_read_pid_files(systemd_backlight_t) >> =A0 @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreat= e; >> =A0 allow systemd_sessions_t systemd_sessions_var_run_t:file=20 >> manage_file_perms; >> =A0 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t,= =20 >> file) >> =A0 +kernel_dgram_send(systemd_sessions_t) >> + >> =A0 selinux_get_enforce_mode(systemd_sessions_t) >> =A0 selinux_get_fs_mount(systemd_sessions_t) >> > >