This patch adds some permissions (through interface calls) needed
by the sysadm role (in particular logging permissions).
diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
--- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
@@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
+init_stream_connect(sysadm_t)
+
+logging_send_audit_msgs(sysadm_t)
+logging_set_tty_audit(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
On 02/16/11 01:07, Guido Trentalancia wrote:
> This patch adds some permissions (through interface calls) needed
> by the sysadm role (in particular logging permissions).
>
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
> ubac_fd_exempt(sysadm_t)
>
> init_exec(sysadm_t)
> +init_stream_connect(sysadm_t)
Is this on an upstart system? If so these two rules should probably
turn into init_telinit() and also that interface updated to handle
stream sockets.
> +logging_send_audit_msgs(sysadm_t)
Why is this necessary?
> +logging_set_tty_audit(sysadm_t)
>
> # Add/remove user home directories
> userdom_manage_user_home_dirs(sysadm_t)
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:07, Guido Trentalancia wrote:
> > This patch adds some permissions (through interface calls) needed
> > by the sysadm role (in particular logging permissions).
> >
> > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> > --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
> > +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
> > @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
> > ubac_fd_exempt(sysadm_t)
> >
> > init_exec(sysadm_t)
> > +init_stream_connect(sysadm_t)
>
> Is this on an upstart system? If so these two rules should probably
> turn into init_telinit() and also that interface updated to handle
> stream sockets.
I confirm it's an upstart system. At the moment I can't check about the
interface that you suggest to use. If it is equivalent, then that's
fine. Is it a way to compact things ?
Do you think we should use the upstart boolean here ?
> > +logging_send_audit_msgs(sysadm_t)
>
> Why is this necessary?
I am not sure. If I can get some more insight on this I will let you
know later on or tomorrow.
> > +logging_set_tty_audit(sysadm_t)
> >
> > # Add/remove user home directories
> > userdom_manage_user_home_dirs(sysadm_t)
Regards,
Guido
On 02/23/11 14:28, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>> This patch adds some permissions (through interface calls) needed
>>> by the sysadm role (in particular logging permissions).
>>>
>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>> ubac_fd_exempt(sysadm_t)
>>>
>>> init_exec(sysadm_t)
>>> +init_stream_connect(sysadm_t)
>>
>> Is this on an upstart system? If so these two rules should probably
>> turn into init_telinit() and also that interface updated to handle
>> stream sockets.
>
> I confirm it's an upstart system. At the moment I can't check about the
> interface that you suggest to use. If it is equivalent, then that's
> fine. Is it a way to compact things ?
Its not completely identical, as init_telinit() uses datagram sockets,
and this has stream sockets. But init_telinit() may need to be updated
if upstart changed its socket type.
> Do you think we should use the upstart boolean here ?
No, its in the init_telinit() interface.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Hello Christopher !
Finally I am getting back on this...
On Wed, 23/02/2011 at 20.28 +0100, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
> > On 02/16/11 01:07, Guido Trentalancia wrote:
> > > This patch adds some permissions (through interface calls) needed
> > > by the sysadm role (in particular logging permissions).
> > >
> > > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> > > --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
> > > +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
> > > @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
> > > ubac_fd_exempt(sysadm_t)
> > >
> > > init_exec(sysadm_t)
> > > +init_stream_connect(sysadm_t)
> >
> > Is this on an upstart system? If so these two rules should probably
> > turn into init_telinit() and also that interface updated to handle
> > stream sockets.
>
> I confirm it's an upstart system. At the moment I can't check about the
> interface that you suggest to use. If it is equivalent, then that's
> fine. Is it a way to compact things ?
>
> Do you think we should use the upstart boolean here ?
>
> > > +logging_send_audit_msgs(sysadm_t)
> >
> > Why is this necessary?
>
> I am not sure. If I can get some more insight on this I will let you
> know later on or tomorrow.
>
> > > +logging_set_tty_audit(sysadm_t)
> > >
> > > # Add/remove user home directories
> > > userdom_manage_user_home_dirs(sysadm_t)
I found the following logs about the logging calls:
type=AVC msg=audit(1295734084.283:24): avc: denied { create } for pid=2677 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1295734079.261:20): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1295734079.536:21): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1295736796.387:81): avc: denied { nlmsg_relay } for pid=2821 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1294619138.946:19637): avc: denied { create } for pid=5744 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1294683721.351:42): avc: denied { write } for pid=2670 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
>From the sysadm_t context, I bet this is something interactive from the
console. And I told you already that there are a few problems from the
console. It needs to be checked carefully as soon as you have finished
to evaluate and commit the patches that I have already submitted.
Regards,
Guido
On Tue, 01/03/2011 at 14.16 -0500, Christopher J. PeBenito wrote:
> On 02/23/11 14:28, Guido Trentalancia wrote:
> > On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
> >> On 02/16/11 01:07, Guido Trentalancia wrote:
> >>> This patch adds some permissions (through interface calls) needed
> >>> by the sysadm role (in particular logging permissions).
> >>>
> >>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> >>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
> >>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
> >>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
> >>> ubac_fd_exempt(sysadm_t)
> >>>
> >>> init_exec(sysadm_t)
> >>> +init_stream_connect(sysadm_t)
> >>
> >> Is this on an upstart system? If so these two rules should probably
> >> turn into init_telinit() and also that interface updated to handle
> >> stream sockets.
> >
> > I confirm it's an upstart system. At the moment I can't check about the
> > interface that you suggest to use. If it is equivalent, then that's
> > fine. Is it a way to compact things ?
>
> Its not completely identical, as init_telinit() uses datagram sockets,
> and this has stream sockets. But init_telinit() may need to be updated
> if upstart changed its socket type.
>
> > Do you think we should use the upstart boolean here ?
>
> No, its in the init_telinit() interface.
That's fine to me, good idea ! As soon as you commit, I will test.
Regards,
Guido
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/01/2011 03:02 PM, Guido Trentalancia wrote:
> Hello Christopher !
>
> Finally I am getting back on this...
>
> On Wed, 23/02/2011 at 20.28 +0100, Guido Trentalancia wrote:
>> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>>> This patch adds some permissions (through interface calls) needed
>>>> by the sysadm role (in particular logging permissions).
>>>>
>>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
>>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
>>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>>> ubac_fd_exempt(sysadm_t)
>>>>
>>>> init_exec(sysadm_t)
>>>> +init_stream_connect(sysadm_t)
>>>
>>> Is this on an upstart system? If so these two rules should probably
>>> turn into init_telinit() and also that interface updated to handle
>>> stream sockets.
>>
>> I confirm it's an upstart system. At the moment I can't check about the
>> interface that you suggest to use. If it is equivalent, then that's
>> fine. Is it a way to compact things ?
>>
>> Do you think we should use the upstart boolean here ?
>>
>>>> +logging_send_audit_msgs(sysadm_t)
>>>
>>> Why is this necessary?
>>
>> I am not sure. If I can get some more insight on this I will let you
>> know later on or tomorrow.
>>
>>>> +logging_set_tty_audit(sysadm_t)
>>>>
>>>> # Add/remove user home directories
>>>> userdom_manage_user_home_dirs(sysadm_t)
>
> I found the following logs about the logging calls:
>
> type=AVC msg=audit(1295734084.283:24): avc: denied { create } for pid=2677 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295734079.261:20): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295734079.536:21): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295736796.387:81): avc: denied { nlmsg_relay } for pid=2821 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1294619138.946:19637): avc: denied { create } for pid=5744 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1294683721.351:42): avc: denied { write } for pid=2670 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
>
>>From the sysadm_t context, I bet this is something interactive from the
> console. And I told you already that there are a few problems from the
> console. It needs to be checked carefully as soon as you have finished
> to evaluate and commit the patches that I have already submitted.
>
> Regards,
>
> Guido
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
bash has builtin audit logging.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk1tU10ACgkQrlYvE4MpobMVzQCdGJSFxMEHq9vHvROwxS1JBSwP
isMAn24kv49S3agafRGkJCP09Jn4cPi0
=hWTl
-----END PGP SIGNATURE-----
On 03/01/11 15:07, Guido Trentalancia wrote:
> On Tue, 01/03/2011 at 14.16 -0500, Christopher J. PeBenito wrote:
>> On 02/23/11 14:28, Guido Trentalancia wrote:
>>> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>>>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>>>> This patch adds some permissions (through interface calls) needed
>>>>> by the sysadm role (in particular logging permissions).
>>>>>
>>>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100
>>>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100
>>>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>>>> ubac_fd_exempt(sysadm_t)
>>>>>
>>>>> init_exec(sysadm_t)
>>>>> +init_stream_connect(sysadm_t)
>>>>
>>>> Is this on an upstart system? If so these two rules should probably
>>>> turn into init_telinit() and also that interface updated to handle
>>>> stream sockets.
>>>
>>> I confirm it's an upstart system. At the moment I can't check about the
>>> interface that you suggest to use. If it is equivalent, then that's
>>> fine. Is it a way to compact things ?
>>
>> Its not completely identical, as init_telinit() uses datagram sockets,
>> and this has stream sockets. But init_telinit() may need to be updated
>> if upstart changed its socket type.
>>
>>> Do you think we should use the upstart boolean here ?
>>
>> No, its in the init_telinit() interface.
>
> That's fine to me, good idea ! As soon as you commit, I will test.
I think you misunderstand. I'm not going to commit it until you can
confirm this is telinit (which also happens when you run shutdown).
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com