Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4557799ybb; Tue, 14 Apr 2020 09:34:34 -0700 (PDT) X-Google-Smtp-Source: APiQypJcJ2fe2qHUDxLw78OMurpUBX56NQOkWf+v/OFEqViCqRKNba57ZqJuw3vHUEz9CF7pvAo8 X-Received: by 2002:a05:6402:1802:: with SMTP id g2mr16580155edy.364.1586882074232; Tue, 14 Apr 2020 09:34:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586882074; cv=none; d=google.com; s=arc-20160816; b=NvOEgdZUaDCFiXk/FIHunLajQ9DmCm3/EUVuuIBSCEBnwSaJMennbS42PXIXZzPigT Sy2nve+SMINbE9iyqI+EnXt2EaWr+c2wCti75fah6eMn00rnHRZnoqTvDVfTDm2NmZ7i ahY0o9VXvEc2ovcj2oChYdY++hgUP5mXiFwCvPZGKCjPC3PGwuAQVQ7TvCGmESjbZ/Ok fl3Kc+9LfEmd62m8Wm8U91wi1vW7OLdOjgUJiYYoSGuhzkI4DXBTrb/n/zGWC/V7WmAv VbW+zBaW9iLGOjIk4EsRqo19NqAvK+Rd4tXhWkR+h3Wonm5Vlt0f0undhJkIgdRrzAXu 1C9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=MjS3n4+LgktMd/m1v+Nfhpkw/MILpzdY10pbXIYlHOg=; b=JTCJ/9iLZs1muZl8IiDrIFB5RV2SiSPfV7ACFmzi1FdSHNCakNXKXOjtczql0vdPOG qBd+aKxYs9/CbVwuBQfJY1mfKIrTUU3HrSHJfSlnmTEC8Pgwn9ynYQ1yGh/OeKqzYC2u vJoSqDAyP4crHTB1P4quSX8v1d9NlLDeoKpkm0ANI+HkcMrqFtrk62GNdhYWymBJ8eAQ 9KQmF1o1ra0hgMPy8XopINMslf8DuaSPTY0L1EyM44eWpz27+m5QZfiew5IrHaKOhDP9 dP1iXNfNlHt3xkMmu74DjTT1PtrOpA0/5ieaLaIcVowp0qXSNe7nbIji9qZ4HOlkNQch Yuvg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=E5yd4jmE; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l22si8609360edr.232.2020.04.14.09.34.30; Tue, 14 Apr 2020 09:34:34 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=E5yd4jmE; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407284AbgDNPGk (ORCPT + 13 others); Tue, 14 Apr 2020 11:06:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44156 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2407281AbgDNPGb (ORCPT ); Tue, 14 Apr 2020 11:06:31 -0400 Received: from mail-qt1-x844.google.com (mail-qt1-x844.google.com [IPv6:2607:f8b0:4864:20::844]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0EBC9C061A10 for ; Tue, 14 Apr 2020 08:06:31 -0700 (PDT) Received: by mail-qt1-x844.google.com with SMTP id l60so1944444qtd.8 for ; Tue, 14 Apr 2020 08:06:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=MjS3n4+LgktMd/m1v+Nfhpkw/MILpzdY10pbXIYlHOg=; b=E5yd4jmE7LeX0iCUUonVXOJCXYts/GRbqJq3dH897B8BGScA4QaSGzGvoZFIvo+y1x qiMdp+ld6tOCq+XX/qTsXxN99Joh/1y2L0AS/x9LUqIJqF5I6AtKzX9JgmAp4kt9hifM TJpG1nfoAFN3dZzd/lqmk5ylmAUkZHHrL1jhg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=MjS3n4+LgktMd/m1v+Nfhpkw/MILpzdY10pbXIYlHOg=; b=mHw4SChsXuWgroNUoCnAeahbYgcHaPkK3BukTCfJHfQWU8exRIpcNd9fptd2vb4Bfa mPpMo/w3ek6bM1vSBqg5ONjsJkCwBk+FFbr3ljQhApsfrBslSaO0wdb7dVZxVESHj+ha ofgGuqrFb539AW4ioF2lB6+J4zgpTqDuqAfJqj+OyWpv0UTxiQ++0PDJ9Qr/8aONQ/+l tgT65uGpKCITqYMVgDrFj4U2KJESmrQlIRI669wTCXoKf8ZNa0QibQAWBwYyWjX19Yw3 HliaakxYhwhn5KfLBX2kqJDJVHqafPhLrWOMfWz8WdSpalz8YwKwrjldHhBkV1RAtOww 1Ulw== X-Gm-Message-State: AGi0PuaJ5RGjpIxac72eoFZ+EBtv5smkgDrte2tIhFk1RDj/9I/uwoPj XRpwO9/QrqAj0y2rUxLqfa4zBJEGWl4= X-Received: by 2002:ac8:6d1d:: with SMTP id o29mr16374872qtt.327.1586876789820; Tue, 14 Apr 2020 08:06:29 -0700 (PDT) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id b10sm10810697qtj.30.2020.04.14.08.06.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Apr 2020 08:06:29 -0700 (PDT) Subject: Re: another memlockd patch To: Russell Coker , Dominick Grift Cc: selinux-refpolicy@vger.kernel.org References: <20200410060317.GB35896@xev> <1765247.TeHuJhGoBa@liv> From: Chris PeBenito Message-ID: <62d460c9-c538-7abd-aa7e-822ea9d22139@ieee.org> Date: Tue, 14 Apr 2020 11:04:46 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <1765247.TeHuJhGoBa@liv> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/10/20 5:40 AM, Russell Coker wrote: > On Friday, 10 April 2020 6:10:57 PM AEST Dominick Grift wrote: >>> +allow memlockd_t self:unix_dgram_socket { create connect }; >> >> the unix dgram socket creating is probably redundant and implied with >> logging_send_logs_msg() as journald uses dgram_sendto for logging? > > You are correct, that is redundant. Chris shall I submit the patch again or > would it be easier to just delete that line when you merge? Please resubmit with below change too. >>> +# cache /etc/shadow too >>> +auth_read_shadow(memlockd_t) >> >> Hmm since /etc/shadow is mode 000, how is memlock able to read this >> without cap_dac_read_search access. is that implied? > > /etc/shadow is mode 640 on Debian. > > On other distributions the choice is either more permissions for memlockd or a > configuration that doesn't cache /etc/shadow. Seems that we need an ifndef(`distro_debian' block with dac_read_search; -- Chris PeBenito