Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp3842885ybl;
        Tue, 21 Jan 2020 08:04:12 -0800 (PST)
X-Google-Smtp-Source: APXvYqwjCLwBMYX4jS2Nk2S/vtTiIQF8SlKf/d6I598Fn9nzNol+SZp7gx+IOSVOo5ROV7ls1LtS
X-Received: by 2002:aca:cf83:: with SMTP id f125mr3455248oig.15.1579622652655;
        Tue, 21 Jan 2020 08:04:12 -0800 (PST)
ARC-Seal: i=2; a=rsa-sha256; t=1579622652; cv=pass;
        d=google.com; s=arc-20160816;
        b=G0UvhucsY3GYAjrZ0dZlUu0df+8PELIvPeuTHgAzfHIF97IkChWLx2UyTCck75ywKE
         e4Y+nz9Y+JL+y6d5E/WszTbxIC2NmeVGMJsyOXw0Ss4zNOOQ1gTUnNG/oK+lGeEBRbKU
         uqCH9Dz3DjDLH72XkN4XMgUx5I4o+YOaHEpiKbTOtnvV3IvnMeQ4C8eKnXsJXmakZOHD
         gsD4onmEMXLkzYztkFTVWJNlgQf9T2o0UxXxQDu9aAHm4IvNHudjss39J8jIbhkhrs/5
         pZEw6r11zBmFHr/e0WOR1g7HZRoLtBF9p4RAIDS9DX8yoa8Pc9iWTqtLbUm1Lw0Vo/G4
         KuFA==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-language:accept-language:message-id:date:thread-index
         :thread-topic:subject:to:from:dkim-signature;
        bh=Lbns+fSaSFWYGzszsrLxMA6dLVjtf4S4AJdenIQP13U=;
        b=A4G0KWoBrfFvL+arUlek1xceRyXZyLgacBpbbznn8RO40NYb1e7OoryuwtEYTJCIwn
         DVTk/NBNgG02rcgjbCRCxNbZzkR/C6QknB0L15eZTeDLh8bnwbQe2cL5wbxfkl9U5xUL
         YG5U73TIFk4petoNcRldgJQjG3T2MQrb2uKJxG9j4msL7RlhWRYUuaGRLQAU4dBq5O7f
         T4MyFaaPEdzsEBaRrhD+4tmf3ztTJNBwqql49fYanr1Ooq68buWM6O52HhMTW44lRlk6
         BupUlUEFHxPrbDdoZSL+pgMlA324vYya9qnrSO4lcAkFMVqUAk0sCaxr60FjH8xiIP9h
         fpOw==
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=Zg6m9XKx;
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id k2si3570230otp.155.2020.01.21.08.04.10;
        Tue, 21 Jan 2020 08:04:12 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=Zg6m9XKx;
       arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com);
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1728904AbgAUQEI (ORCPT <rfc822;refpolicysuse@gmail.com>
        + 13 others); Tue, 21 Jan 2020 11:04:08 -0500
Received: from mail-eopbgr700122.outbound.protection.outlook.com ([40.107.70.122]:62432
        "EHLO NAM04-SN1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1729030AbgAUQEH (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 21 Jan 2020 11:04:07 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=hL86XUaF4a2ZuOC7RlkdepbvL/bwXip+I5qW0Nk8o6975ECc9JnXH4DJG2HfLJQGFiTcouvwGlYpcLgZmJQSu/Mnw60ChqX58Bp8YkZWqAYemUV47/F9+tAQ2N5KjtJQIy0lwgt4xfIsFBOvVRE/3YMSJ9i31vUZ6xNZtv7rhmneSK6TufDGKG/z5ZDgvxqJtZ+aD6FNP+3M8h8wAcGUnqHqwKw+0KEGPFb4I3ORNnU/Qg7h/X9J3/h+GGQjQh+Uua8tlY2xnew7Ff0Ku3rFMzUPMRbjFbWivugZClLUpi0pUn76ws6lMeAZYMnML83yAQeG3lEGCfTpFYOLIot8ag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Lbns+fSaSFWYGzszsrLxMA6dLVjtf4S4AJdenIQP13U=;
 b=B8Xf+gcqwp+E3sJ+FBULNY71FFOksTyAmBxY/qIY7JVZBOm/750Tx3xMrj8Kgq8S1cctj5T+BOmU5tbsRWNvy7ULgLpRZyg/iXtjLrMTvEqCsLXtcv8ChX03sm2UQKNpQ/1jgRrQowqWVKUahvsqBC4oAB9O/BfLneTqH9qtK8Jzjcj+3ISAA68EjUCre9b9cpCiFXyabLgg3B+pb1l/ybIS9HKflPhLcqpSlIvygMUC7R39FF9o5mKxPCbHqFd39dlhyOtfybvFfGJsbHP+q0Tz67D3vG9qErbZ8OrmJX9JvYCaKeFcXHLG+Mz8jVTNkQuq6X0TUprfIsWQ5ILLAw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com;
 dkim=pass header.d=tresys.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=Lbns+fSaSFWYGzszsrLxMA6dLVjtf4S4AJdenIQP13U=;
 b=Zg6m9XKxJHWDXnwHDuzoKN7y+zJ9bwVtT75shABCQgqcaJmwpXA4VWeXyC4KMbgqwlTpGWeJ2B6pbIEEDbMFUgVY2Lp7hWAnUeHFoKwJDXzhhGVxlp7rvE52GcJGCIeoqwN3qz5d1IbEH06awE/LFnAm/2u79b5ig5aJaxtItp0=
Received: from BN8PR15MB2659.namprd15.prod.outlook.com (20.179.136.222) by
 BN8PR15MB2755.namprd15.prod.outlook.com (20.179.139.22) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2644.20; Tue, 21 Jan 2020 16:04:01 +0000
Received: from BN8PR15MB2659.namprd15.prod.outlook.com
 ([fe80::c836:6150:15a0:ea6]) by BN8PR15MB2659.namprd15.prod.outlook.com
 ([fe80::c836:6150:15a0:ea6%6]) with mapi id 15.20.2644.027; Tue, 21 Jan 2020
 16:04:01 +0000
Received: from davelaptop.columbia.tresys.com (96.234.151.2) by BL0PR02CA0046.namprd02.prod.outlook.com (2603:10b6:207:3d::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.17 via Frontend Transport; Tue, 21 Jan 2020 16:04:01 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH v2] audit daemon can halt system, allow this to happen.
Thread-Topic: [PATCH v2] audit daemon can halt system, allow this to happen.
Thread-Index: AQHV0HRlEVBVdLnXHUWr4wzeja5gYQ==
Date:   Tue, 21 Jan 2020 16:04:01 +0000
Message-ID: <20200121160346.392210-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.234.151.2]
x-clientproxiedby: BL0PR02CA0046.namprd02.prod.outlook.com
 (2603:10b6:207:3d::23) To BN8PR15MB2659.namprd15.prod.outlook.com
 (2603:10b6:408:c3::30)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.24.1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 448e746d-cc39-46db-4fa1-08d79e8b87eb
x-ms-traffictypediagnostic: BN8PR15MB2755:
x-microsoft-antispam-prvs: <BN8PR15MB27557F9A665C8BDE5AF627E5B90D0@BN8PR15MB2755.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:843;
x-forefront-prvs: 0289B6431E
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(376002)(366004)(396003)(39830400003)(136003)(346002)(189003)(199004)(52116002)(6916009)(2616005)(956004)(36756003)(1076003)(7696005)(26005)(86362001)(2906002)(6486002)(64756008)(66446008)(8676002)(71200400001)(5660300002)(81156014)(81166006)(66946007)(66476007)(66556008)(186003)(508600001)(316002)(8936002)(16526019);DIR:OUT;SFP:1102;SCL:1;SRVR:BN8PR15MB2755;H:BN8PR15MB2659.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: EEHg87+Q7OacQak1jVqb0M745QCPirLp9JKALuM4a0uhK1K4T+6JoAxOgMZ902PHKOyc3prP0t6hB8qgFhodswhSaWDsBRYOO2r3KYoriQL3tIygNWapiVFmcSV6fDv2yAH8YV6ppTUeL70K8PgBWvMcbA/up0fL4V2GjrLJfAzMFFxNWcCju6zXiyP3rarDzNqsUSk7benGe8AiWORHXM14Oxjf+wbU3yADEOtUAGDXaXDVktkCES5YUYOq/V7gUZrvQF6KKSK7kH+mF3ratXvgfjhrk1OG0+/HrwUzm4VqMkH46r3agub3uHaebDoPGUqN0+eMi2sW5c5BZbaBO4iU0gzv1Ph29NoPpDZbg7Nyi7fFbIhyM6qHXTQE0LrM9dRO23cmNEZRTyfMsOyWMYEqhC80oidrlaMdvNR1RYvzotiwQBlEkOvkUL169xVG
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 448e746d-cc39-46db-4fa1-08d79e8b87eb
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jan 2020 16:04:01.5671
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: B52dQW9T6TD0eHFX2RcccVuEwXMY0zEz9t7MRpWbcOWPOk0hStwNy7mJzD4y2YWz9fqizgHo6/XRUaoqoz154w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR15MB2755
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

auditd can halt the system for several reasons based on configuration.
These mostly revovle around audit partition full issues.  I am seeing
the following denials when attempting to halt the system.

Jan 12 03:38:48 localhost audispd: node=3Dlocalhost type=3DUSER_AVC msg=3Da=
udit(1578800328.122:1943): pid=3D1 uid=3D0 auid=3D4294967295 ses=3D42949672=
95 subj=3Dsystem_u:system_r:init_t:s0 msg=3D'avc:  denied  { start } for au=
id=3Dn/a uid=3D0 gid=3D0 path=3D"/usr/lib/systemd/system/poweroff.target" c=
mdline=3D"/sbin/init 0" scontext=3Dsystem_u:system_r:auditd_t:s0 tcontext=
=3Dsystem_u:object_r:power_unit_t:s0 tclass=3Dservice exe=3D"/usr/lib/syste=
md/systemd" sauid=3D0 hostname=3D? addr=3D? terminal=3D?'
Jan 12 03:38:48 localhost audispd: node=3Dlocalhost type=3DUSER_AVC msg=3Da=
udit(1578800328.147:1944): pid=3D1 uid=3D0 auid=3D4294967295 ses=3D42949672=
95 subj=3Dsystem_u:system_r:init_t:s0 msg=3D'avc:  denied  { status } for a=
uid=3Dn/a uid=3D0 gid=3D0 path=3D"/usr/lib/systemd/system/poweroff.target" =
cmdline=3D"/sbin/init 0" scontext=3Dsystem_u:system_r:auditd_t:s0 tcontext=
=3Dsystem_u:object_r:power_unit_t:s0 tclass=3Dservice exe=3D"/usr/lib/syste=
md/systemd" sauid=3D0 hostname=3D? addr=3D? terminal=3D?'
Jan 12 04:44:54 localhost audispd: node=3Dlocalhost type=3DAVC msg=3Daudit(=
1578804294.103:1923): avc:  denied  { getattr } for  pid=3D6936 comm=3D"sys=
temctl" path=3D"/run/systemd/system" dev=3D"tmpfs" ino=3D45 scontext=3Dsyst=
em_u:system_r:auditd_t:s0 tcontext=3Dsystem_u:object_r:systemd_unit_t:s0 tc=
lass=3Ddir permissive=3D1

v2 - use optional rather than ifdef

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/logging.te |  6 ++++++
 policy/modules/system/systemd.if | 20 ++++++++++++++++++++
 2 files changed, 26 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/loggi=
ng.te
index 4c11d061..a4c46c81 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -223,6 +223,12 @@ ifdef(`distro_ubuntu',`
 	')
 ')
=20
+optional_policy(`
+	init_list_unit_dirs(auditd_t)
+	systemd_start_power_units(auditd_t)
+	systemd_status_power_units(auditd_t)
+')
+
 optional_policy(`
 	mta_send_mail(auditd_t)
 ')
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/syste=
md.if
index a49b0f77..8e46f443 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -791,6 +791,26 @@ interface(`systemd_start_power_units',`
 	allow $1 power_unit_t:service start;
 ')
=20
+########################################
+## <summary>
+##	Get the system status information about power units
+## </summary>
+## <param name=3D"domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`systemd_status_power_units',`
+	gen_require(`
+		type power_unit_t;
+		class service status;
+	')
+
+	allow $1 power_unit_t:service status;
+')
+
+
 ########################################
 ## <summary>
 ##	Make the specified type usable for
--=20
2.24.1