Return-Path: <SRS0=8pcb=SP=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 63E7CC10F11
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 13 Apr 2019 07:54:54 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 2C28C20869
	for <selinux-refpolicy@archiver.kernel.org>; Sat, 13 Apr 2019 07:54:54 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PVt8yjd+"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726936AbfDMHyx (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 13 Apr 2019 03:54:53 -0400
Received: from mail-ed1-f68.google.com ([209.85.208.68]:44139 "EHLO
        mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726833AbfDMHyx (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 13 Apr 2019 03:54:53 -0400
Received: by mail-ed1-f68.google.com with SMTP id d11so10290693edp.11
        for <selinux-refpolicy@vger.kernel.org>; Sat, 13 Apr 2019 00:54:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=date:from:to:cc:subject:message-id:mail-followup-to:references
         :mime-version:content-disposition:in-reply-to:user-agent;
        bh=aJb4tczxMNA+QUr45IgR+5rLSWRIn2DcufH5UFRPX4Q=;
        b=PVt8yjd+W5mlRaajZ1aBDKPWnl+QwbZoiGbEfLiIOdRPkKFU1gdk3QDQsFSOUVtzPo
         eveAy9Hip5p87BGWKhRq7CN5Ine0phxwho4HmoDU7SvoT3utZ70ZwkoMWgFcQGm1mAsB
         eVqvP0vqWK7gubeWTxvrnhqmeKSuA6mfhRDPxB9Zi2iMeWrMCr/VyDSjO8YOoaDQtdbe
         6ueObkXSisnOWgjWQfBqFIZtYXoh4r/7NUVbkmqnc9ZPhQAyfy58j+S3H1jTJLKLoc6X
         Cb+IJjW+vXO0IACB00N4ajjmSzObpyUH1IeSN4gMe13eSCJPbmQU0TRBAgZIaMMQ84C9
         dAYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:date:from:to:cc:subject:message-id
         :mail-followup-to:references:mime-version:content-disposition
         :in-reply-to:user-agent;
        bh=aJb4tczxMNA+QUr45IgR+5rLSWRIn2DcufH5UFRPX4Q=;
        b=IXLqm9PfRvF4Cmg1kwJ8B8fzoAjHFsFBy6Jk1L2ZAOlczkfYkQnJ0X7yYwjYbUPP7z
         KwR3LKl3FxhXERuAEuTBzPT2S7/b8D10vPcTlXjut4Yunrs7GEyPHBp4Z0R0JxezMp8Z
         8qgiwE+4Z75EpD3APFwWTSdtvJHkdnGtQnoY8Kb04NPrt4n6qzZWBm5ip7E99AARgjqm
         Hv2OuC0izKmw2rnd4rT8AXfeFXLbLO/ZmAG37oKXd2Zy/61pb+/iEMQuCjAXQnhPITHf
         OOq1Wbb8OU/3/A08QrheFxH50x+yOfFtgv39gTLFvGCrPHWoaymTYvWelA97RXEtyUN6
         WF1Q==
X-Gm-Message-State: APjAAAXZ5WCospjW8k3qylWTyZjIZRCRYhdRAWAJtlkZmXAzzrMPziGt
        XHHC8oLGOch/7nQC3pJNb0im5rZp
X-Google-Smtp-Source: APXvYqwI5ZOigxVbRi2JCdVd0sbvTleimLcxmeYm+9xT0jmRO50eMV8idq7M0fdLLeod293EIy/cSg==
X-Received: by 2002:a50:996d:: with SMTP id l42mr1136703edb.181.1555142091558;
        Sat, 13 Apr 2019 00:54:51 -0700 (PDT)
Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id x54sm13107198edd.35.2019.04.13.00.54.50
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Sat, 13 Apr 2019 00:54:50 -0700 (PDT)
Date:   Sat, 13 Apr 2019 09:54:48 +0200
From:   Dominick Grift <dac.override@gmail.com>
To:     Russell Coker <russell@coker.com.au>
Cc:     "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 3/3] Some items that seem they can be dontaudited for
 plymouthd
Message-ID: <20190413075448.GB5901@brutus.lan>
Mail-Followup-To: Russell Coker <russell@coker.com.au>,
        "Sugar, David" <dsugar@tresys.com>,
        "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
References: <20190412193917.23886-1-dsugar@tresys.com>
 <2319520.MOiGnKPAe5@liv>
 <a539292f-7396-acb3-cb5e-e3415d5cf861@tresys.com>
 <14839769.DdiKdgLD4o@xev>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
        protocol="application/pgp-signature"; boundary="1LKvkjL3sHcu1TtY"
Content-Disposition: inline
In-Reply-To: <14839769.DdiKdgLD4o@xev>
User-Agent: Every email client sucks, this one just sucks less.
X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


--1LKvkjL3sHcu1TtY
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Apr 13, 2019 at 02:24:25PM +1000, Russell Coker wrote:
> On Saturday, 13 April 2019 1:26:06 PM AEST Sugar, David wrote:
> > On 4/12/19 10:33 PM, Russell Coker wrote:
> > > What is netlink_kobject_uevent_socket?  Do we have a place we can doc=
ument
> > > this sort of thing to make it easier to determine whether access is
> > > required and what the implications of such access are?
> >=20
> > I'm really not sure either.  But, please note, that this patch is
> > dontaudit rules to quiet some denials that didn't seem to have any
> > negative side effect.  If this patch isn't applied things will still
> > function, just have some entries in the audit logs.
>=20
> There's a good chance the action in question isn't an accident and some a=
spect=20
> of the program's functionality will be changed.  I think it's best to hav=
e an=20
> idea of what the issue was before putting in a dontaudit rule, if some=20
> configuration of that program actually needs such functionality then a=20
> dontaudit will make it inconvenient to track it down.
>=20
> Have you tried running strace or ltrace to see what it's doing?

I agree that this probably shouldnt be dontaudited. This is a common patter=
n for "udev clients"

The kobject_uevent socket aspect is probably to monitor devices (equivalent=
 to `udevadm monitor`)

>=20
> --=20
> My Main Blog         http://etbe.coker.com.au/
> My Documents Blog    http://doc.coker.com.au/
>=20

--=20
Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02
Dominick Grift

--1LKvkjL3sHcu1TtY
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAlyxlcQACgkQJXSOVTf5
R2mrAwwAuNQ5KTB39fVuvsp4bGE0p9Xw/3/tr46OJWxZY2/r+nrOSVxYIDYS7WRm
X9WxGZvDDNHHeNwLDzYEL5XB1Uc97aOJ/3wSwzUYp6vLkYiPbTmpUwrdxpX/HOa0
bJddtBnXUuqOXd5rH3sGsgWEMjqO12FdRbUswBhJMG5OJ2f/qld/aBociLPUArEg
sTmRyYMqByhf5w7F8O4G3bMElwqg1uJiS60VxHtp/I4Sp8Bq6gSLJZsc7G25wWp4
Wiqw8RuMV2p9kHR3LysJwMaAcNSYYDZvEap/+IO4VUiWH4yebTe9LOowEllZNrh0
F5JVB92DwCJw34QmmeW33DfzT71BfkNwo9hODBkrkiUiys01D2Hl1HYegknOSZW1
FrRoJCdIBygnHEH5L4X1egrTQmTG1UBN962sZZ6HgCocYorgJrUtwkjpEWmeBBzR
5hvwGKx/QK/nLI/Bt7QbVoLUXfCHj320I+L3MpWXxdQFWYZAELSTzoNfHe/DxZZF
LMdZ+svu
=kSZC
-----END PGP SIGNATURE-----

--1LKvkjL3sHcu1TtY--