LinuxLists.cc - [refpolicy] [PATCH] Allow unconfined domains to use syslog capability

2014-06-09 12:38:45

Subject: [refpolicy] [PATCH] Allow unconfined domains to use syslog capability

When an unconfined_t root user runs dmesg, the kernel complains with
this message in its logs (when SELinux is in enforcing mode):

dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
CAP_SYSLOG (deprecated).

audit.log contains following AVC:

avc: denied { syslog } for pid=16289 comm="dmesg" capability=34
scontext=unconfined_u:unconfined_r:unconfined_t
tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
---
policy/modules/system/unconfined.if | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
index 5ca20a9..2b85a6e 100644
--- a/policy/modules/system/unconfined.if
+++ b/policy/modules/system/unconfined.if
@@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',`

# Use most Linux capabilities
allow $1 self:capability ~sys_module;
+ allow $1 self:capability2 syslog;
allow $1 self:fifo_file manage_fifo_file_perms;

# Transition to myself, to make get_ordered_context_list happy.
--
2.0.0

2014-06-09 15:02:28

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] Allow unconfined domains to use syslog capability

On 06/09/2014 08:38 AM, Nicolas Iooss wrote:
> When an unconfined_t root user runs dmesg, the kernel complains with
> this message in its logs (when SELinux is in enforcing mode):
>
> dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
> CAP_SYSLOG (deprecated).
>
> audit.log contains following AVC:
>
> avc: denied { syslog } for pid=16289 comm="dmesg" capability=34
> scontext=unconfined_u:unconfined_r:unconfined_t
> tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
> ---
> policy/modules/system/unconfined.if | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/unconfined.if b/policy/modules/system/unconfined.if
> index 5ca20a9..2b85a6e 100644
> --- a/policy/modules/system/unconfined.if
> +++ b/policy/modules/system/unconfined.if
> @@ -20,6 +20,7 @@ interface(`unconfined_domain_noaudit',`
>
> # Use most Linux capabilities
> allow $1 self:capability ~sys_module;
> + allow $1 self:capability2 syslog;
> allow $1 self:fifo_file manage_fifo_file_perms;
>
> # Transition to myself, to make get_ordered_context_list happy.

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com