Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4777580ybl; Wed, 22 Jan 2020 04:36:03 -0800 (PST) X-Google-Smtp-Source: APXvYqxDpqv7v8k18n1DLPSyt8yofDponrZ+hXsM/kaQSaoIe1svGfYquyXRZcHIx7Ya22XgtTnI X-Received: by 2002:aca:d610:: with SMTP id n16mr844842oig.108.1579696563523; Wed, 22 Jan 2020 04:36:03 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1579696563; cv=pass; d=google.com; s=arc-20160816; b=u82S3gdxAJnzQj2C+Ce2134Zg0q7ges2d+O30LciuwL6V5zooDJsxq1fs6P8T33197 zTVRDTKNX8DVViXkGlDz5HDs6uuIbuhem6oXDKLg8cMFy7QtqbL408b9eqPhyG5Vk3JS PXJa8PX5e7qLTaZC6beiOhG8YG4qy+cZC0kViceLoW0XIhE3hlp8VvbOTXrPexrzqjvU 6FKyyIm3VDROVI05UDxwpofrWEXpHDqagEgXWXfh6/SaPgaX85QlCjONuoez3m1v2WZi y50uv539zE/AECTx5d7qG5i5YRpwsK5h+SIf2T3i+fsqC2J8v4y5WHnMHKvOffi4+xrO eBLA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:to:from:dkim-signature; bh=1dJF/O2hV3yIUq6b9o5h/0V1yKbyFKcm7XyVR/7qkDs=; b=kwEGWxVcSOQBFOZRH0GhVQRIULcCze2IEmQeqNFxeLUGiZLOVpTxHcU1Z2KwftpSdL FfsIZuYdyD4hsbj2aCp7MtnYUjArhEllMMkYQ2LVwnlXdh6u2rSeBACgxuXxwF2FMilr mkonb8qHAhjpSipC5w64mlE6vZBWMlbbIqvJUNvfD6bjkoMIUErQIyHF+KpQ6mj3W705 IKBd2GwG1sGLqhRBVKi/kkkGQs1Kx12aEEncqGYRevq7rQPLOxbqY5DWS1Fyap9fIKA5 z1kF4Qxpi3Uz6aK1wmuLAgbHc9wHF9y6fXjoZb0HTApDQvHPSo9F/C/scweJWKH2gASr P4Jg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=yT54TV0S; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h3si23081845otq.203.2020.01.22.04.35.59; Wed, 22 Jan 2020 04:36:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=yT54TV0S; arc=pass (i=1 spf=pass spfdomain=tresys.com dkim=pass dkdomain=tresys.com dmarc=pass fromdomain=tresys.com); spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728916AbgAVMf6 (ORCPT + 13 others); Wed, 22 Jan 2020 07:35:58 -0500 Received: from mail-co1nam11on2102.outbound.protection.outlook.com ([40.107.220.102]:18496 "EHLO NAM11-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728981AbgAVMf6 (ORCPT ); Wed, 22 Jan 2020 07:35:58 -0500 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Hi+JwJoo6hWQkEL3AdeYsaMsUqtbl30DOCHZoNgOvfimeHa9dBUFlMMaDxd8Beg9rrKmxz0J4FU21kZ6RIWgDCEVmptQQrl1KFIpOs0SzpwV6Yw5PZXkkgQHF47zZWQuOwWqSfe9x7FAXxuDxEmITJZn6TcVE5fyC7UZvAbgbI7OB7hyQI2eeBfXlS1AhnVwwZcT7u6jXkpGf1qppixD4Ec67eRqOFuqA1iDbfaK1EXxd4qGpNRPkXey8ZMosvyXcN+lQI6LYwYEjh6bznqEMtNugjjEP5uiOEj4dGX//wHdE9jrS23YdP6IwXUql5WNwd4keod+M8WMeYSw02eD7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1dJF/O2hV3yIUq6b9o5h/0V1yKbyFKcm7XyVR/7qkDs=; b=PXQYokYDUbJTQwqUfrO9/ImMFU+2Z+JcmSHY1PdAZThtRktKcWZy18/Yp5HRHKX1Vxqd1QcQg2KPm2klUcP7USCxjA7YFGtDv9lz1cOsYsqTjfPYvwPwP3aiqug92nHndsEcG47S/mo+Cryo8p5t60rLdZTfs+aFN6p2wBApDdo3u9CCVi/G7A3b2Dn8ZEIwCKY2Xjs0UYISrlt9ZtBjXY9JU/gfrFv+8Co6YfjFe3AqtWa1/sIZcnDnIZt5E79Kg2UYMOgzFMeAm6lcHrqJF+q1qfjPeQ+wFme4BMIgK42FdmYemuQaBIKCxM+CYTT4Vtmn1uDs47oFYyvZMdIHjQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=tresys.com; dmarc=pass action=none header.from=tresys.com; dkim=pass header.d=tresys.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1dJF/O2hV3yIUq6b9o5h/0V1yKbyFKcm7XyVR/7qkDs=; b=yT54TV0SEhWOXu68hlMMKyyx7TF1/GxFrsj/q3+k89JAhKx7MNZsm7tgFPF0fxk9n2JWagRmAvIF0bEgL6dX5rWXEib0dWg+IxmETbmzhVUGeo2+41j927V3IulbyeWHUywy+zLJOz5T6BBYiU/1wXnvZ4baJGHTxo4off04AzQ= Received: from BN8PR15MB2659.namprd15.prod.outlook.com (20.179.136.222) by BN8PR15MB3251.namprd15.prod.outlook.com (20.179.74.215) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.21; Wed, 22 Jan 2020 12:35:42 +0000 Received: from BN8PR15MB2659.namprd15.prod.outlook.com ([fe80::c836:6150:15a0:ea6]) by BN8PR15MB2659.namprd15.prod.outlook.com ([fe80::c836:6150:15a0:ea6%6]) with mapi id 15.20.2644.027; Wed, 22 Jan 2020 12:35:42 +0000 Received: from davelaptop.columbia.tresys.com (96.234.151.2) by MN2PR06CA0013.namprd06.prod.outlook.com (2603:10b6:208:23d::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2644.23 via Frontend Transport; Wed, 22 Jan 2020 12:35:41 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH v3] audit daemon can halt system, allow this to happen. Thread-Topic: [PATCH v3] audit daemon can halt system, allow this to happen. Thread-Index: AQHV0SB1BOajcV15tEyBuZYqA36muw== Date: Wed, 22 Jan 2020 12:35:42 +0000 Message-ID: <20200122123529.691385-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.234.151.2] x-clientproxiedby: MN2PR06CA0013.namprd06.prod.outlook.com (2603:10b6:208:23d::18) To BN8PR15MB2659.namprd15.prod.outlook.com (2603:10b6:408:c3::30) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.24.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: dfdc7860-14e0-4d99-df5a-08d79f37980d x-ms-traffictypediagnostic: BN8PR15MB3251: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:843; x-forefront-prvs: 029097202E x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(376002)(136003)(396003)(39840400004)(346002)(366004)(189003)(199004)(81156014)(6916009)(81166006)(16526019)(8936002)(5660300002)(8676002)(2616005)(956004)(86362001)(6486002)(316002)(52116002)(7696005)(36756003)(66446008)(2906002)(186003)(71200400001)(508600001)(64756008)(66556008)(66946007)(1076003)(66476007)(26005);DIR:OUT;SFP:1102;SCL:1;SRVR:BN8PR15MB3251;H:BN8PR15MB2659.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: MZ+pBNc74FY6RLcVMLvff3aqgBaIMOkiltQCVQ9t5UK1qPiXPdobbCAAATTC5N6ydYMSxGRsi9mPCoX18aKIXYUvO8NsD4hiFhPMxFZQvf2gC56GB+pBsJcGfueIsoGYGeT52Qu2W7App3ASU2rZAsvvtLSNSgyW4rp+cXOyn5H4owLmjyxgz0/ybIAKihHVGyCYXKPT2VjXe6uewecrkiDM85vtSb+AoHvyz4r0IheROVR8iiL9OuAsAgLx2J/Y6RmgiUzHup1KHwQoU8FLzsbFF5dZQd6rd5wAc4NRR3HddJI18sODTGNcvbf4YgQ7GAFdJl1frU4P9MUlxoHliekBGlqfz+0VowEqHQ6cNlcXAFySgIjDVDhg8czR3+Mrg8x9E25rSqf6v3ViDLDJ5qqKoq571YIcdL62AwABfezgcPTvr53q5OHYAyVvJJjl x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: dfdc7860-14e0-4d99-df5a-08d79f37980d X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jan 2020 12:35:42.1007 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: CvtA1/G8OVBgycmt1ucBWtZALwOojxMI2OVzmI5oGMjN6r+jqKFB94XSA8Tm5qlXG1PPlzVJfmaLvpPTUzEqxw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR15MB3251 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org auditd can halt the system for several reasons based on configuration. These mostly revovle around audit partition full issues. I am seeing the following denials when attempting to halt the system. Jan 12 03:38:48 localhost audispd: node=3Dlocalhost type=3DUSER_AVC msg=3Da= udit(1578800328.122:1943): pid=3D1 uid=3D0 auid=3D4294967295 ses=3D42949672= 95 subj=3Dsystem_u:system_r:init_t:s0 msg=3D'avc: denied { start } for au= id=3Dn/a uid=3D0 gid=3D0 path=3D"/usr/lib/systemd/system/poweroff.target" c= mdline=3D"/sbin/init 0" scontext=3Dsystem_u:system_r:auditd_t:s0 tcontext= =3Dsystem_u:object_r:power_unit_t:s0 tclass=3Dservice exe=3D"/usr/lib/syste= md/systemd" sauid=3D0 hostname=3D? addr=3D? terminal=3D?' Jan 12 03:38:48 localhost audispd: node=3Dlocalhost type=3DUSER_AVC msg=3Da= udit(1578800328.147:1944): pid=3D1 uid=3D0 auid=3D4294967295 ses=3D42949672= 95 subj=3Dsystem_u:system_r:init_t:s0 msg=3D'avc: denied { status } for a= uid=3Dn/a uid=3D0 gid=3D0 path=3D"/usr/lib/systemd/system/poweroff.target" = cmdline=3D"/sbin/init 0" scontext=3Dsystem_u:system_r:auditd_t:s0 tcontext= =3Dsystem_u:object_r:power_unit_t:s0 tclass=3Dservice exe=3D"/usr/lib/syste= md/systemd" sauid=3D0 hostname=3D? addr=3D? terminal=3D?' Jan 12 04:44:54 localhost audispd: node=3Dlocalhost type=3DAVC msg=3Daudit(= 1578804294.103:1923): avc: denied { getattr } for pid=3D6936 comm=3D"sys= temctl" path=3D"/run/systemd/system" dev=3D"tmpfs" ino=3D45 scontext=3Dsyst= em_u:system_r:auditd_t:s0 tcontext=3Dsystem_u:object_r:systemd_unit_t:s0 tc= lass=3Ddir permissive=3D1 v2 - use optional rather than ifdef v3 - fix order Signed-off-by: Dave Sugar --- policy/modules/system/logging.te | 6 ++++++ policy/modules/system/systemd.if | 20 ++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/loggi= ng.te index 4c11d061..bce6b4d8 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -231,6 +231,12 @@ optional_policy(` seutil_sigchld_newrole(auditd_t) ') =20 +optional_policy(` + init_list_unit_dirs(auditd_t) + systemd_start_power_units(auditd_t) + systemd_status_power_units(auditd_t) +') + optional_policy(` udev_read_db(auditd_t) ') diff --git a/policy/modules/system/systemd.if b/policy/modules/system/syste= md.if index a49b0f77..8e46f443 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -791,6 +791,26 @@ interface(`systemd_start_power_units',` allow $1 power_unit_t:service start; ') =20 +######################################## +## +## Get the system status information about power units +## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_status_power_units',` + gen_require(` + type power_unit_t; + class service status; + ') + + allow $1 power_unit_t:service status; +') + + ######################################## ## ## Make the specified type usable for --=20 2.24.1