Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-11.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, MENTIONS_GIT_HOSTING,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D6919C10F13 for ; Mon, 8 Apr 2019 13:41:58 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 9C33B21473 for ; Mon, 8 Apr 2019 13:41:58 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="uLmbTaTR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726558AbfDHNl6 (ORCPT ); Mon, 8 Apr 2019 09:41:58 -0400 Received: from mail-ed1-f65.google.com ([209.85.208.65]:41940 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726523AbfDHNl6 (ORCPT ); Mon, 8 Apr 2019 09:41:58 -0400 Received: by mail-ed1-f65.google.com with SMTP id u2so7308894eds.8 for ; Mon, 08 Apr 2019 06:41:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=ncdGOXZRF3nxOnoUkF/a+/zptQrLIOOzrxjrAVhcL3I=; b=uLmbTaTR2QFTaegU7092Q9+6R+8jQnW/92IHdSpsQxcNjIY257mpretQDH2+MMOZuQ i/4bGCx4L28aXmsMJ82mpYVK1Lshqe0sH4PjoGy9hjh2DkNExQ1WIxCkCFimZq3y92My nVyDxx2iexcigDqjo2yXn48NI5q2l4CwzFST3d2Cp6kLhgLlC7HuFebK9ZUj6erZg5F4 C6XVRsx6jXJohBu2ToS+67paSTRN4WHRIjtHaZynkshZZOHcgte46/jQc513XhYE7KNd 3+N+VDJuVz50q4mBtmZBcJVv+QNidwkZaXWTlSGhNQNHg35sbGSeMQyTckRSycTJhev5 cQsQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=ncdGOXZRF3nxOnoUkF/a+/zptQrLIOOzrxjrAVhcL3I=; b=VKrU4W4qVSFhj+Hc/vo+xP3MkzI5iQbcGETbtu5599hqRLAWM6Xhkxtq7/YQAQQOyZ JPJuc/r7G+uW+mrK6xl+HdOurH6ILbknrtLa2+sX64dIvLKfoiCToMQDeBY7kFAjxgSo M9XENAlSD5/hbIq1f6Ta0ptNPcGVpKnox+GE5ov/sT8+8WXqnJYfcBhVM+siDKHc+i02 eR20oiz/kGh6KGrTFolhblRuwrLCB8kQ8S+9gy6vLCMGYj17qSPjTLt3NlM5W3SyPYWA Rc5I/FCbyOZmaqBhhGQtdXi/Klf5iclkgMyut9cA9IjW6pRwZg+3436IgZhnogJGM51j J94Q== X-Gm-Message-State: APjAAAX9h/3XlIQ85ukF3bQ5T77Udgxbyp7E2WiG+fw6tZrEs72PeVBq wLdvagHlnaaf7ObLdJFwuvWVRTzA X-Google-Smtp-Source: APXvYqxq0tceOEkom676gOyfW165I3ey71CHELAyjlbZkmXfivMeBlY+/m74LR/Fs9EScoHAtzMfzA== X-Received: by 2002:a05:6402:13d7:: with SMTP id a23mr4460338edx.28.1554730915616; Mon, 08 Apr 2019 06:41:55 -0700 (PDT) Received: from brutus (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id s24sm2535510edq.79.2019.04.08.06.41.54 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 08 Apr 2019 06:41:54 -0700 (PDT) From: Dominick Grift To: "Sugar\, David" Cc: Chris PeBenito , "selinux-refpolicy\@vger.kernel.org" Subject: Re: [PATCH] Resolve some denials related to sending journal messages References: <20190404122900.8945-1-dsugar@tresys.com> <20190404122900.8945-2-dsugar@tresys.com> <48f4a705-36e6-aca7-15e4-1c100785aaf8@ieee.org> <5898f8be-d46d-1bbd-de56-d59316c1ee16@tresys.com> Date: Mon, 08 Apr 2019 15:41:53 +0200 In-Reply-To: <5898f8be-d46d-1bbd-de56-d59316c1ee16@tresys.com> (David Sugar's message of "Mon, 8 Apr 2019 13:33:42 +0000") Message-ID: <87v9zok40u.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org "Sugar, David" writes: > On 4/7/19 8:52 PM, Chris PeBenito wrote: >> On 4/4/19 8:29 AM, Sugar, David wrote: >>> type=3DAVC msg=3Daudit(1554324562.840:159): avc:=C2=A0 denied=C2=A0 { s= endto } for=C2=A0=20 >>> pid=3D7277 comm=3D"systemd-backlig" path=3D"/run/systemd/journal/socket= "=20 >>> scontext=3Dsystem_u:system_r:systemd_backlight_t:s0=20 >>> tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Dunix_dgram_socket=20 >>> permissive=3D1 >>> type=3DAVC msg=3Daudit(1554324271.863:245): avc:=C2=A0 denied=C2=A0 { s= endto } for=C2=A0=20 >>> pid=3D7421 comm=3D"systemd-user-se" path=3D"/run/systemd/journal/socket= "=20 >>> scontext=3Dsystem_u:system_r:systemd_sessions_t:s0=20 >>> tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Dunix_dgram_socket=20 >>> permissive=3D0 >>> type=3DAVC msg=3Daudit(1554324635.844:313): avc:=C2=A0 denied=C2=A0 { s= endto } for=C2=A0=20 >>> pid=3D7744 comm=3D"systemd-cryptse" path=3D"/run/systemd/journal/socket= "=20 >>> scontext=3Dsystem_u:system_r:lvm_t:s0=20 >>> tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Dunix_dgram_socket=20 >>> permissive=3D1 >> >> I think we've reached the limit of the explicit kernel_dgram_send()=20 >> and it's time to reevaluate putting this in logging_send_syslog_msg(). >> > That makes sense.=C2=A0 I will submit a patch after I test a bit.=C2=A0 B= ut it=20 > looks like everywhere (except the systemd module) that uses=20 > kernel_dgram_send() already has logging_send_syslog_msg() so once=20 > kernel_dgram_send() is added to logging_send_syslog_msg(),=20 > kernel_dgram_send() can removed from those domains. > > The exceptions are: > > 1) In the systemd module there isn't much use of=20 > logging_send_syslog_msg().=C2=A0 For this case I will add=20 > logging_send_syslog_msg() as required. see: https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/syst= em/systemd.te#L410 So "systemd_log_parse_environment()" implies "logging_send_syslog_msg()" > > 2) In the interface init_daemon_domain(), it uses kernel_dgram_send()=20 > directly, there it probably doesn't need to use=20 > logging_send_syslog_msg(). This may be able to go away as modules might=20 > already use logging now, I will try removing and see what breaks. > >> >>> Signed-off-by: Dave Sugar >>> --- >>> =C2=A0 policy/modules/system/lvm.te=C2=A0=C2=A0=C2=A0=C2=A0 | 1 + >>> =C2=A0 policy/modules/system/systemd.te | 4 ++++ >>> =C2=A0 2 files changed, 5 insertions(+) >>> >>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te >>> index ec3b4a18..aea199d4 100644 >>> --- a/policy/modules/system/lvm.te >>> +++ b/policy/modules/system/lvm.te >>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t,=20 >>> lvm_metadata_t, file) >>> =C2=A0 files_etc_filetrans(lvm_t, lvm_metadata_t, file) >>> =C2=A0 files_search_mnt(lvm_t) >>> =C2=A0 +kernel_dgram_send(lvm_t) >>> =C2=A0 kernel_request_load_module(lvm_t) >>> =C2=A0 kernel_get_sysvipc_info(lvm_t) >>> =C2=A0 kernel_read_system_state(lvm_t) >>> diff --git a/policy/modules/system/systemd.te=20 >>> b/policy/modules/system/systemd.te >>> index f6455f6f..541117a9 100644 >>> --- a/policy/modules/system/systemd.te >>> +++ b/policy/modules/system/systemd.te >>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t) >>> =C2=A0 # for udev.conf >>> =C2=A0 files_read_etc_files(systemd_backlight_t) >>> =C2=A0 +kernel_dgram_send(systemd_backlight_t) >>> + >>> =C2=A0 # for /run/udev/data/+backlight* >>> =C2=A0 udev_read_pid_files(systemd_backlight_t) >>> =C2=A0 @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfsc= reate; >>> =C2=A0 allow systemd_sessions_t systemd_sessions_var_run_t:file=20 >>> manage_file_perms; >>> =C2=A0 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run= _t,=20 >>> file) >>> =C2=A0 +kernel_dgram_send(systemd_sessions_t) >>> + >>> =C2=A0 selinux_get_enforce_mode(systemd_sessions_t) >>> =C2=A0 selinux_get_fs_mount(systemd_sessions_t) >>> >> >> --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift