---
policy/modules/system/init.fc | 6 ++++++
policy/modules/system/init.te | 8 +++++++-
2 files changed, 13 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index bc0ffc84ed07..417d3580b3a7 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -25,6 +25,7 @@ ifdef(`distro_gentoo',`
ifdef(`distro_gentoo', `
/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
')
+/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
#
# /sbin
@@ -42,6 +43,8 @@ ifdef(`distro_gentoo', `
#
/usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
+
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -51,11 +54,14 @@ ifdef(`distro_gentoo', `
#
# /var
#
+/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0)
+
/var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
/var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
/var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
ifdef(`distro_debian',`
/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29256b862a64..b57637504939 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -40,12 +40,18 @@ kernel_domtrans_to(init_t, init_exec_t)
role system_r types init_t;
#
-# init_var_run_t is the type for /var/run/shutdown.pid.
+# init_var_run_t is the type for /var/run/shutdown.pid and /var/run/systemd.
#
type init_var_run_t;
files_pid_file(init_var_run_t)
#
+# init_var_lib_t is the type for /var/lib/systemd.
+#
+type init_var_lib_t;
+files_type(init_var_lib_t)
+
+#
# initctl_t is the type of the named pipe created
# by init during initialization. This pipe is used
# to communicate with init.
--
2.1.0
---
policy/modules/system/init.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 15483b04d67f..921796e547e3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1594,6 +1594,25 @@ interface(`init_dontaudit_read_script_status_files',`
dontaudit $1 initrc_state_t:file read_file_perms;
')
+######################################
+## <summary>
+## Search the /run/systemd directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_search_run',`
+ gen_require(`
+ type init_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 init_var_run_t:dir search_dir_perms;
+')
+
########################################
## <summary>
## Read init script temporary data.
--
2.1.0
---
policy/modules/system/logging.fc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 428e43f117e5..e32244599625 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -17,6 +17,8 @@
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/usr/sbin/metalog -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -61,12 +63,17 @@ ifdef(`distro_redhat',`
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
/var/run/log -s gen_context(system_u:object_r:devlog_t,s0)
+/var/run/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/run/log/journal(/.*)? gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/run/metalog\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/rsyslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslogd\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng.ctl -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
/var/run/syslog-ng\.pid -- gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
/var/run/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/systemd/journal(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal/syslog -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
/var/spool/audit(/.*)? gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
/var/spool/bacula/log(/.*)? gen_context(system_u:object_r:var_log_t,s0)
--
2.1.0
In June 2014 systemd moved the socket used by journald to /run. This
requires two new directory search access for every domain sending syslog
messages:
* /run/systemd/ (handled by init_search_run)
* /run/systemd/journal/ (labeled syslogd_var_run_t)
systemd commit:
http://cgit.freedesktop.org/systemd/systemd/commit/units/systemd-journald-dev-log.socket?id=03ee5c38cb0da193dd08733fb4c0c2809cee6a99
---
policy/modules/system/logging.if | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4e94884637dc..21c4f522515b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -530,12 +530,16 @@ interface(`logging_log_filetrans',`
#
interface(`logging_send_syslog_msg',`
gen_require(`
- type syslogd_t, devlog_t;
+ type syslogd_t, syslogd_var_run_t, devlog_t;
')
allow $1 devlog_t:lnk_file read_lnk_file_perms;
allow $1 devlog_t:sock_file write_sock_file_perms;
+ # systemd journal socket is in /run/systemd/journal/dev-log
+ init_search_run($1)
+ allow $1 syslogd_var_run_t:dir search_dir_perms;
+
# the type of socket depends on the syslog daemon
allow $1 syslogd_t:unix_dgram_socket sendto;
allow $1 syslogd_t:unix_stream_socket connectto;
--
2.1.0
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
---
policy/modules/kernel/devices.if | 18 ++++++++++++++++++
policy/modules/system/logging.te | 3 +++
2 files changed, 21 insertions(+)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index e9ef45641b6c..9744d63ea7ad 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2198,6 +2198,24 @@ interface(`dev_write_kmsg',`
########################################
## <summary>
+## Read and write to the kernel messages device
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_rw_kmsg',`
+ gen_require(`
+ type device_t, kmsg_device_t;
+ ')
+
+ rw_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
## Get the attributes of the ksm devices.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7121340c71d6..e0d9b5ec7b34 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -406,6 +406,7 @@ kernel_read_messages(syslogd_t)
kernel_read_vm_sysctls(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
+kernel_read_ring_buffer(syslogd_t)
# /initrd is not umounted before minilog starts
kernel_dontaudit_search_unlabeled(syslogd_t)
@@ -437,6 +438,8 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
+# Allow access to /dev/kmsg for journald
+dev_rw_kmsg(syslogd_t)
domain_use_interactive_fds(syslogd_t)
--
2.1.0
When a process sends a syslog message to journald, journald records
information such as command, executable, cgroup, etc.:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589
This needs domain_read_all_domains_state.
---
policy/modules/system/logging.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index e0d9b5ec7b34..c2fb80d6062e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -442,6 +442,8 @@ dev_read_sysfs(syslogd_t)
dev_rw_kmsg(syslogd_t)
domain_use_interactive_fds(syslogd_t)
+# Allow access to /proc/ information for journald
+domain_read_all_domains_state(syslogd_t)
files_read_etc_files(syslogd_t)
files_read_usr_files(syslogd_t)
--
2.1.0
Since commit 0fd9dc55, logging.te contains:
term_write_all_user_ttys(syslogd_t)
As "write" is a superset of "append", this rule is no longer needed:
term_append_unallocated_ttys(syslogd_t)
While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.
---
policy/modules/system/logging.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index c2fb80d6062e..6b40bd5a146f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -482,7 +482,7 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
ifdef(`distro_gentoo',`
# default gentoo syslog-ng config appends kernel
# and high priority messages to /dev/tty12
- term_append_unallocated_ttys(syslogd_t)
+ # and chown/chgrp/chmod /dev/tty12, which is denied
term_dontaudit_setattr_unallocated_ttys(syslogd_t)
')
--
2.1.0
On 9/7/2014 5:28 PM, Nicolas Iooss wrote:
> ---
> policy/modules/system/init.fc | 6 ++++++
> policy/modules/system/init.te | 8 +++++++-
> 2 files changed, 13 insertions(+), 1 deletion(-)
This set is merged, though I made a few slight tweaks.
> diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
> index bc0ffc84ed07..417d3580b3a7 100644
> --- a/policy/modules/system/init.fc
> +++ b/policy/modules/system/init.fc
> @@ -25,6 +25,7 @@ ifdef(`distro_gentoo',`
> ifdef(`distro_gentoo', `
> /lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
> ')
> +/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
>
> #
> # /sbin
> @@ -42,6 +43,8 @@ ifdef(`distro_gentoo', `
> #
> /usr/bin/sepg_ctl -- gen_context(system_u:object_r:initrc_exec_t,s0)
>
> +/usr/lib/systemd/systemd -- gen_context(system_u:object_r:init_exec_t,s0)
> +
> /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
> /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
>
> @@ -51,11 +54,14 @@ ifdef(`distro_gentoo', `
> #
> # /var
> #
> +/var/lib/systemd(/.*)? gen_context(system_u:object_r:init_var_lib_t,s0)
> +
> /var/run/initctl -p gen_context(system_u:object_r:initctl_t,s0)
> /var/run/utmp -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> /var/run/runlevel\.dir gen_context(system_u:object_r:initrc_var_run_t,s0)
> /var/run/random-seed -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> /var/run/setmixer_flag -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/var/run/systemd(/.*)? gen_context(system_u:object_r:init_var_run_t,s0)
>
> ifdef(`distro_debian',`
> /var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 29256b862a64..b57637504939 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -40,12 +40,18 @@ kernel_domtrans_to(init_t, init_exec_t)
> role system_r types init_t;
>
> #
> -# init_var_run_t is the type for /var/run/shutdown.pid.
> +# init_var_run_t is the type for /var/run/shutdown.pid and /var/run/systemd.
> #
> type init_var_run_t;
> files_pid_file(init_var_run_t)
>
> #
> +# init_var_lib_t is the type for /var/lib/systemd.
> +#
> +type init_var_lib_t;
> +files_type(init_var_lib_t)
> +
> +#
> # initctl_t is the type of the named pipe created
> # by init during initialization. This pipe is used
> # to communicate with init.
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com