Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4256395ybl; Mon, 13 Jan 2020 10:28:06 -0800 (PST) X-Google-Smtp-Source: APXvYqzLaopj98jrwltqxtPCU6OjV0fYBmXnlaSUvROf2+OZpWC5PuAdUzKBwPlkwMWalBs68V9P X-Received: by 2002:aca:481:: with SMTP id 123mr13985798oie.110.1578940086526; Mon, 13 Jan 2020 10:28:06 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1578940086; cv=pass; d=google.com; s=arc-20160816; b=WXKwi74eDo6oJ9veX/7AovtB1QnudjsXqQC+va65ugvf2Gk7EAPmGAxhEKZWX3/V2e cqRltcrakGtvbNHjsrppQQ+jHSR+5U4Sygz0LNUYZElmihbsbjx4eHpVmqN/oudo+6n8 Af8gyAWDxw0H9tcSO3gGQTvxeUT5hlyle6nUGrxXaBud0HuGlM9K3Yld0zP0l9BaHjDK TfNEAo3LfT6T1kCa15Nk2B7rASOreWSrKqVoLr8I3bLuOXx/axik32II7k2XhtZzEafa uvbL+nBFb8Bw0Ez8bcEQ6B3udDd/zNPeArGNXsWc7zKtTgh4ar5txAW3PgzDK/8KTvrj tzBQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:to:from:dkim-signature; bh=5IjwDV5o3vAu5NKSyd+0BsSWZq0/7q9ipAY+LR/hI74=; b=SvZjkce0lPtEIJMoPTtmFl6HJ8cJXl6z/OtzTJLF1uwmEGjVtCjcMN7cV2SHsbK1T6 uBXDW0a67gkqcEcG5ATiIKZnSJMxZd/NzCCEbhBfRprZn6xVaspDe7mj7DK4HHZbEQRp rl1Lofyz9up3yniJvj3Q0/q9QMn6ckfUuVD4WnHRt5qN9zG0XhfoKrQHpNX/YoAExElH vRjfPJi9idFjr7Yrn5eQfSRTPg8H3n6AFbxde21cE1ejDFccBVWP/J6QyYWQdJiqGd0n x+7TsDP6NkXQqqhUi4tkrOD6yBTfpwGmCgSAZLButz08T5/XiiVm4YQ2tazUiWsg84oo MsOw== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b="kXTW/Ep5"; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b17si6696857otl.320.2020.01.13.10.28.04; Mon, 13 Jan 2020 10:28:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b="kXTW/Ep5"; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728714AbgAMS2D (ORCPT + 12 others); Mon, 13 Jan 2020 13:28:03 -0500 Received: from mail-dm6nam10on2110.outbound.protection.outlook.com ([40.107.93.110]:29792 "EHLO NAM10-DM6-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728665AbgAMS2D (ORCPT ); Mon, 13 Jan 2020 13:28:03 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EUsvhmd59l0QKP6mYWlMmAPhNS/YTBgufiAf7blN2o5H8f3ivoLgkR9CojpS5RvKYwws7XdmRGAQvDpl7uMOOEp8AvxkHSwSY/7Q3CVg56vOEmG+XByNReSbFbGL/W7DM3NV8rv5NO7pzWUicIUQKCX6E+omiWFla5n3atxjW3hgyxf0GCAZ9J+tX3/blWb22tmtn9xra11CAXFp/nshHV5gaLaZUDWECnnV5fQ3PX24ESf5nkewBopHgzKr/cyO1U6hxwKU4ZDXM5A/ajs9OIw6LBmiejhCnJdbowZgLFfOom6OYjU8Yc1wgzrQ3GEr6UAGbqHhu7BvzgcbHA2lhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5IjwDV5o3vAu5NKSyd+0BsSWZq0/7q9ipAY+LR/hI74=; b=msvymh5eRh2k1Qe2jHqw9PcW0TkYVlg/8Y1dMPpi12WvsSbuief70B3WfjeGBjdK4V9hybrAM4TMX9QGXJL0QY4tHAnOOEQEMVgwafEun8vKH/8W3ptOKYWLega2aoEVZDjSLoDKOgD+oOFv+iWhyUq5I+y7VjjF0RZVnhzErsuC/TAUPGDL2tmIZELrX89i6zCPzXec6FY2WljXUtQOUuDPvtBW7aIQLibygnRP50tVf2jca4OToMmQOvW70H+T6CKO2IY/0HK4JQcizWeARV447WSBwvGonpe60A/gyAUaxUyVnd93WnCwjCVbls0sP63xbwgVZmQqCofQqx0c0Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com; dkim=pass header.d=tresys.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5IjwDV5o3vAu5NKSyd+0BsSWZq0/7q9ipAY+LR/hI74=; b=kXTW/Ep5V8JCVinkaSfh5pdUjrv8okbOCtS4EOZPdRchSveStTJzUlseKlLeCg8Qyk/87txRvMLbGNbUUs5I1Ta/qRH+k2/JO4fHqbwS0/I4lGTrFtLHSFO3P/N2Up6FRtOW1STe16WflFfqvSqDo1akkYMcf3Z9DtTxxIYrVNw= Received: from BYAPR15MB2375.namprd15.prod.outlook.com (52.135.200.157) by BYAPR15MB2903.namprd15.prod.outlook.com (20.178.236.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9; Mon, 13 Jan 2020 18:28:00 +0000 Received: from BYAPR15MB2375.namprd15.prod.outlook.com ([fe80::f572:9d34:edf6:b415]) by BYAPR15MB2375.namprd15.prod.outlook.com ([fe80::f572:9d34:edf6:b415%5]) with mapi id 15.20.2623.015; Mon, 13 Jan 2020 18:28:00 +0000 Received: from davelaptop.columbia.tresys.com (96.234.151.2) by BL0PR02CA0075.namprd02.prod.outlook.com (2603:10b6:208:51::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9 via Frontend Transport; Mon, 13 Jan 2020 18:27:59 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Allow audit daemon to halt system Thread-Topic: [PATCH] Allow audit daemon to halt system Thread-Index: AQHVyj8vtwTQ9xpcokeWwo8stMhbsQ== Date: Mon, 13 Jan 2020 18:28:00 +0000 Message-ID: <20200113182743.3502993-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.234.151.2] x-clientproxiedby: BL0PR02CA0075.namprd02.prod.outlook.com (2603:10b6:208:51::16) To BYAPR15MB2375.namprd15.prod.outlook.com (2603:10b6:a02:91::29) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.24.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 49c3b9fe-251b-4b15-50a9-08d79856518e x-ms-traffictypediagnostic: BYAPR15MB2903: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:843; x-forefront-prvs: 028166BF91 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(376002)(366004)(136003)(346002)(39830400003)(396003)(189003)(199004)(1076003)(186003)(26005)(7696005)(52116002)(6916009)(16526019)(5660300002)(71200400001)(316002)(2616005)(66446008)(64756008)(66556008)(66476007)(6666004)(36756003)(8676002)(81166006)(956004)(8936002)(6486002)(66946007)(508600001)(2906002)(86362001)(81156014);DIR:OUT;SFP:1102;SCL:1;SRVR:BYAPR15MB2903;H:BYAPR15MB2375.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: +ZwcboRfKstQ6ZwYyRxcLDvogI/2D+rOYxdRbCYNN55sYqmAfzQcxRxCIkkIkT3GW1izntw5e14+TkfAOAsX3vPrDX7w2/l1UoG0+yH0FpPoDspyGvUGou1Iu2Ju1j8Ch7qGQe6yS7Nvof7qZVE96bLiqmCloVxGKbZJFP5l3cxbaVxhoPjsaTIqh7/lqmGW6sN4uHHkQEH3ufKqffGM8p4vOSpUq7JWkx2gUX20ht2kVGSK/HpNdo2XNt+erCuNo1FHHdfHFBcxnxV3FVgRBJuXV6fSqvKnUjL4dpLvzCAZTs/Jz1bCTVN57Qbm0Zj4xUZpmkYfLxSt/Ad3DZo8I0kdE78pY/ERLUVXTjVJeAqFsxQ9njX1Ixf8Cidev/ADTdkOAH0yTWrNXq85jGl4hGJWj2rycdbHx4huYc8Zc+1edSrv8gCBUuBglzcdNN12 x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 49c3b9fe-251b-4b15-50a9-08d79856518e X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Jan 2020 18:28:00.0384 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: ZmqgVdhMeukP5F8zt7pf+9J99HN8tlwLIdZo4bJkrXVJt0tmc92UdJnDgMqLdxanil/DHtVpl+rbylcEv4NeYQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR15MB2903 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org auditd can halt the system for several reasons based on configuration. These mostly revovle around audit partition full issues. I am seeing the following denials when attempting to halt the system. Jan 12 03:38:48 localhost audispd: node=3Dlocalhost type=3DUSER_AVC msg=3Da= udit(1578800328.122:1943): pid=3D1 uid=3D0 auid=3D4294967295 ses=3D42949672= 95 subj=3Dsystem_u:system_r:init_t:s0 msg=3D'avc: denied { start } for au= id=3Dn/a uid=3D0 gid=3D0 path=3D"/usr/lib/systemd/system/poweroff.target" c= mdline=3D"/sbin/init 0" scontext=3Dsystem_u:system_r:auditd_t:s0 tcontext= =3Dsystem_u:object_r:power_unit_t:s0 tclass=3Dservice exe=3D"/usr/lib/syste= md/systemd" sauid=3D0 hostname=3D? addr=3D? terminal=3D?' Jan 12 03:38:48 localhost audispd: node=3Dlocalhost type=3DUSER_AVC msg=3Da= udit(1578800328.147:1944): pid=3D1 uid=3D0 auid=3D4294967295 ses=3D42949672= 95 subj=3Dsystem_u:system_r:init_t:s0 msg=3D'avc: denied { status } for a= uid=3Dn/a uid=3D0 gid=3D0 path=3D"/usr/lib/systemd/system/poweroff.target" = cmdline=3D"/sbin/init 0" scontext=3Dsystem_u:system_r:auditd_t:s0 tcontext= =3Dsystem_u:object_r:power_unit_t:s0 tclass=3Dservice exe=3D"/usr/lib/syste= md/systemd" sauid=3D0 hostname=3D? addr=3D? terminal=3D?' Jan 12 04:44:54 localhost audispd: node=3Dlocalhost type=3DAVC msg=3Daudit(= 1578804294.103:1923): avc: denied { getattr } for pid=3D6936 comm=3D"sys= temctl" path=3D"/run/systemd/system" dev=3D"tmpfs" ino=3D45 scontext=3Dsyst= em_u:system_r:auditd_t:s0 tcontext=3Dsystem_u:object_r:systemd_unit_t:s0 tc= lass=3Ddir permissive=3D1 Signed-off-by: Dave Sugar --- policy/modules/system/logging.te | 6 ++++++ policy/modules/system/systemd.if | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/loggi= ng.te index 73ca3042..69349af0 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -224,6 +224,12 @@ ifdef(`distro_ubuntu',` ') ') =20 +ifdef(`init_systemd',` + init_list_unit_dirs(auditd_t) + systemd_start_power_units(auditd_t) + systemd_status_power_units(auditd_t) +') + optional_policy(` mta_send_mail(auditd_t) ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/syste= md.if index 0fd37fe8..2e9098a2 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -773,6 +773,26 @@ interface(`systemd_start_power_units',` allow $1 power_unit_t:service start; ') =20 +######################################## +## +## Get the system status information about power units +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_status_power_units',` + gen_require(` + type power_unit_t; + class service status; + ') + + allow $1 power_unit_t:service status; +') + + ######################################## ## ## Make the specified type usable for --=20 2.24.1