Many systemd services use log_parse_environment and log_open systemd
functions to configure the way they log messages. These functions
require permissions like reading /proc/cmdline and /proc/1/environ to
run properly, and then the service which used them needs to be able to
send messages over /run/systemd/journal/socket Unix socket. When
connecting to the socket, systemd tries to modify the sending buffer
with setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which fails when
CAP_NET_ADMIN is not allowed, in which case it falls back to SO_SNDBUF.
Therfore CAP_NET_ADMIN does not need to be granted to every systemd
service using logging.
As all these accesses are shared among many systemd services, create an
interface to allow them all at once.
---
This is "RFC PATCH" because it might be better to allow these accesses
for each service in systemd.te instead.
In case it is relevant, here are the relevant AVC denials for
systemd-networkd service (which is not handled by refpolicy yet):
type=AVC msg=audit(1452497098.233:181): avc: denied { search } for
pid=848 comm="systemd-network" name="1" dev="proc" ino=11
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:init_t tclass=dir permissive=1
type=AVC msg=audit(1452497098.233:181): avc: denied { read } for
pid=848 comm="systemd-network" name="environ" dev="proc" ino=12
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:init_t tclass=file permissive=1
type=AVC msg=audit(1452497098.233:181): avc: denied { open } for
pid=848 comm="systemd-network" path="/proc/1/environ" dev="proc"
ino=12 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:init_t tclass=file permissive=1
type=AVC msg=audit(1452497098.233:182): avc: denied { read } for
pid=848 comm="systemd-network" name="cmdline" dev="proc" ino=4026531991
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:proc_t tclass=file permissive=1
type=AVC msg=audit(1452497098.233:182): avc: denied { open } for
pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc"
ino=4026531991 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:proc_t tclass=file permissive=1
type=AVC msg=audit(1452497098.233:183): avc: denied { getattr } for
pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc"
ino=4026531991 scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:proc_t tclass=file permissive=1
type=AVC msg=audit(1452497098.233:184): avc: denied { create } for
pid=848 comm="systemd-network"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
permissive=1
type=AVC msg=audit(1452497098.233:185): avc: denied { getopt } for
pid=848 comm="systemd-network"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
permissive=1
type=AVC msg=audit(1452497098.233:186): avc: denied { setopt } for
pid=848 comm="systemd-network"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
permissive=1
type=AVC msg=audit(1452497098.233:186): avc: denied { net_admin } for
pid=848 comm="systemd-network" capability=12
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:systemd_networkd_t tclass=capability
permissive=1
type=AVC msg=audit(1452497098.233:187): avc: denied { connect } for
pid=848 comm="systemd-network"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
permissive=1
type=AVC msg=audit(1452497098.233:187): avc: denied { write } for
pid=848 comm="systemd-network" name="socket" dev="tmpfs" ino=5214
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1
type=AVC msg=audit(1452497098.233:187): avc: denied { sendto } for
pid=848 comm="systemd-network" path="/run/systemd/journal/socket"
scontext=system_u:system_r:systemd_networkd_t
tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1
policy/modules/system/systemd.if | 42 ++++++++++++++++++++++++++++++++++++++++
policy/modules/system/systemd.te | 14 +++++++-------
2 files changed, 49 insertions(+), 7 deletions(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 3cd667000098..9972f6916597 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -171,3 +171,45 @@ interface(`systemd_start_power_units',`
allow $1 power_unit_t:service start;
')
+
+########################################
+## <summary>
+## Allow specified domain to parse environment to set up logging.
+## </summary>
+## <desc>
+## <p>
+## Many systemd services set up their logging by calling
+## functions log_parse_environment() and log_open(), which
+## source codes are available on
+## https://github.com/systemd/systemd/blob/v227/src/basic/log.c
+## </p>
+## <p>
+## Function log_parse_environment calls parse_proc_cmdline,
+## which reads /proc/cmdline and calls detect_container,
+## which reads /proc/1/environ.
+## </p>
+## <p>
+## Function log_open may call log_open_syslog, which calls
+## create_log_socket, which calls fd_inc_sndbuf, which does
+## setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which
+## requires CAP_NET_ADMIN. Nevertheless if the process does not
+## have CAP_NET_ADMIN access, fd_inc_sndbuf falls back to using
+## SO_SNDBUF option, which does not require any capability.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_parse_log_environment',`
+ # Allow to read /proc/1/environ
+ init_read_state($1)
+ # Allow to read /proc/cmdline
+ kernel_read_system_state($1)
+ # Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure
+ dontaudit $1 self:capability net_admin;
+
+ logging_send_syslog_msg($1)
+')
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 88924473f7aa..e95d54c4086c 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -120,7 +120,7 @@ kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
init_stream_connect(systemd_cgroups_t)
-logging_send_syslog_msg(systemd_cgroups_t)
+systemd_parse_log_environment(systemd_cgroups_t)
kernel_dgram_send(systemd_cgroups_t)
@@ -133,7 +133,7 @@ kernel_read_kernel_sysctls(systemd_locale_t)
files_read_etc_files(systemd_locale_t)
-logging_send_syslog_msg(systemd_locale_t)
+systemd_parse_log_environment(systemd_locale_t)
seutil_read_file_contexts(systemd_locale_t)
@@ -151,7 +151,7 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
files_read_etc_files(systemd_hostnamed_t)
-logging_send_syslog_msg(systemd_hostnamed_t)
+systemd_parse_log_environment(systemd_hostnamed_t)
seutil_read_file_contexts(systemd_hostnamed_t)
@@ -210,7 +210,7 @@ init_read_state(systemd_logind_t)
locallogin_read_state(systemd_logind_t)
-logging_send_syslog_msg(systemd_logind_t)
+systemd_parse_log_environment(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)
@@ -232,7 +232,7 @@ optional_policy(`
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
-logging_send_syslog_msg(systemd_sessions_t)
+systemd_parse_log_environment(systemd_sessions_t)
#########################################
#
@@ -258,10 +258,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
-logging_send_syslog_msg(systemd_tmpfiles_t)
-
seutil_read_file_contexts(systemd_tmpfiles_t)
+systemd_parse_log_environment(systemd_tmpfiles_t)
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
--
2.7.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Jan 11, 2016 at 08:07:41PM +0100, Nicolas Iooss wrote:
> Many systemd services use log_parse_environment and log_open systemd
> functions to configure the way they log messages. These functions
> require permissions like reading /proc/cmdline and /proc/1/environ to
> run properly, and then the service which used them needs to be able to
> send messages over /run/systemd/journal/socket Unix socket. When
> connecting to the socket, systemd tries to modify the sending buffer
> with setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which fails when
> CAP_NET_ADMIN is not allowed, in which case it falls back to SO_SNDBUF.
> Therfore CAP_NET_ADMIN does not need to be granted to every systemd
> service using logging.
>
> As all these accesses are shared among many systemd services, create an
> interface to allow them all at once.
I suspect that this is not limited to just systemd services.
Another thing i noticed that they (or some of them) also want to
traverse (or get the attributes of /run/systemd/system)
Anyhow. I probably would keep this seperate from
logging_send_syslog_msg()
You might also be able to use a type attribute here
for example in systemd:
dontaudit parse_log_env_domain_type self:capability net_admin;
kernel_read_system_state(parse_log_env_domain_type)
init_read_state(parse_log_env_domain_type)
Then just associate the type attribute with domain types that do the log
env parsing
logging_send_syslog_msg (mydomain_t)
ifdef(`init_systemd',`
systemd_parse_log_env(mydomain_t)
')
or something...
In my personal dssp policy I just allowed all (journald) log clients to just read
systemd state (my common domains can already read generic proc file by
default) unconditionally. I also allowed log clients to traverse
/run/systemd/system.
I basically use a different module for each log daemon instead of
lumping then all together. It is up to the end-user do pick and choose
the modules to use
> ---
>
> This is "RFC PATCH" because it might be better to allow these accesses
> for each service in systemd.te instead.
>
> In case it is relevant, here are the relevant AVC denials for
> systemd-networkd service (which is not handled by refpolicy yet):
>
> type=AVC msg=audit(1452497098.233:181): avc: denied { search } for
> pid=848 comm="systemd-network" name="1" dev="proc" ino=11
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:init_t tclass=dir permissive=1
> type=AVC msg=audit(1452497098.233:181): avc: denied { read } for
> pid=848 comm="systemd-network" name="environ" dev="proc" ino=12
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:init_t tclass=file permissive=1
> type=AVC msg=audit(1452497098.233:181): avc: denied { open } for
> pid=848 comm="systemd-network" path="/proc/1/environ" dev="proc"
> ino=12 scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:init_t tclass=file permissive=1
>
> type=AVC msg=audit(1452497098.233:182): avc: denied { read } for
> pid=848 comm="systemd-network" name="cmdline" dev="proc" ino=4026531991
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:object_r:proc_t tclass=file permissive=1
> type=AVC msg=audit(1452497098.233:182): avc: denied { open } for
> pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc"
> ino=4026531991 scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:object_r:proc_t tclass=file permissive=1
> type=AVC msg=audit(1452497098.233:183): avc: denied { getattr } for
> pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc"
> ino=4026531991 scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:object_r:proc_t tclass=file permissive=1
>
> type=AVC msg=audit(1452497098.233:184): avc: denied { create } for
> pid=848 comm="systemd-network"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
> permissive=1
> type=AVC msg=audit(1452497098.233:185): avc: denied { getopt } for
> pid=848 comm="systemd-network"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
> permissive=1
> type=AVC msg=audit(1452497098.233:186): avc: denied { setopt } for
> pid=848 comm="systemd-network"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
> permissive=1
> type=AVC msg=audit(1452497098.233:186): avc: denied { net_admin } for
> pid=848 comm="systemd-network" capability=12
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=capability
> permissive=1
>
> type=AVC msg=audit(1452497098.233:187): avc: denied { connect } for
> pid=848 comm="systemd-network"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket
> permissive=1
> type=AVC msg=audit(1452497098.233:187): avc: denied { write } for
> pid=848 comm="systemd-network" name="socket" dev="tmpfs" ino=5214
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1
> type=AVC msg=audit(1452497098.233:187): avc: denied { sendto } for
> pid=848 comm="systemd-network" path="/run/systemd/journal/socket"
> scontext=system_u:system_r:systemd_networkd_t
> tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1
>
> policy/modules/system/systemd.if | 42 ++++++++++++++++++++++++++++++++++++++++
> policy/modules/system/systemd.te | 14 +++++++-------
> 2 files changed, 49 insertions(+), 7 deletions(-)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 3cd667000098..9972f6916597 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -171,3 +171,45 @@ interface(`systemd_start_power_units',`
>
> allow $1 power_unit_t:service start;
> ')
> +
> +########################################
> +## <summary>
> +## Allow specified domain to parse environment to set up logging.
> +## </summary>
> +## <desc>
> +## <p>
> +## Many systemd services set up their logging by calling
> +## functions log_parse_environment() and log_open(), which
> +## source codes are available on
> +## https://github.com/systemd/systemd/blob/v227/src/basic/log.c
> +## </p>
> +## <p>
> +## Function log_parse_environment calls parse_proc_cmdline,
> +## which reads /proc/cmdline and calls detect_container,
> +## which reads /proc/1/environ.
> +## </p>
> +## <p>
> +## Function log_open may call log_open_syslog, which calls
> +## create_log_socket, which calls fd_inc_sndbuf, which does
> +## setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which
> +## requires CAP_NET_ADMIN. Nevertheless if the process does not
> +## have CAP_NET_ADMIN access, fd_inc_sndbuf falls back to using
> +## SO_SNDBUF option, which does not require any capability.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_parse_log_environment',`
> + # Allow to read /proc/1/environ
> + init_read_state($1)
> + # Allow to read /proc/cmdline
> + kernel_read_system_state($1)
> + # Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure
> + dontaudit $1 self:capability net_admin;
> +
> + logging_send_syslog_msg($1)
> +')
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 88924473f7aa..e95d54c4086c 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -120,7 +120,7 @@ kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
>
> init_stream_connect(systemd_cgroups_t)
>
> -logging_send_syslog_msg(systemd_cgroups_t)
> +systemd_parse_log_environment(systemd_cgroups_t)
>
> kernel_dgram_send(systemd_cgroups_t)
>
> @@ -133,7 +133,7 @@ kernel_read_kernel_sysctls(systemd_locale_t)
>
> files_read_etc_files(systemd_locale_t)
>
> -logging_send_syslog_msg(systemd_locale_t)
> +systemd_parse_log_environment(systemd_locale_t)
>
> seutil_read_file_contexts(systemd_locale_t)
>
> @@ -151,7 +151,7 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> files_read_etc_files(systemd_hostnamed_t)
>
> -logging_send_syslog_msg(systemd_hostnamed_t)
> +systemd_parse_log_environment(systemd_hostnamed_t)
>
> seutil_read_file_contexts(systemd_hostnamed_t)
>
> @@ -210,7 +210,7 @@ init_read_state(systemd_logind_t)
>
> locallogin_read_state(systemd_logind_t)
>
> -logging_send_syslog_msg(systemd_logind_t)
> +systemd_parse_log_environment(systemd_logind_t)
>
> systemd_start_power_units(systemd_logind_t)
>
> @@ -232,7 +232,7 @@ optional_policy(`
> allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> -logging_send_syslog_msg(systemd_sessions_t)
> +systemd_parse_log_environment(systemd_sessions_t)
>
> #########################################
> #
> @@ -258,10 +258,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> -logging_send_syslog_msg(systemd_tmpfiles_t)
> -
> seutil_read_file_contexts(systemd_tmpfiles_t)
>
> +systemd_parse_log_environment(systemd_tmpfiles_t)
> +
> tunable_policy(`systemd_tmpfiles_manage_all',`
> # systemd-tmpfiles can be configured to manage anything.
> # have a last-resort option for users to do this.
> --
> 2.7.0
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJWlBNjAAoJECV0jlU3+UdplNkMAI2k9kNPVRUaGHncgsFcl0aM
P+mgPfkU2ObLmExOKr42Zoh3Fm/Th8kNOulxW/5AFxhBRhk5kgDnYzH/fU9kpq2M
NoPINmWqNSyfVt/vK76OMEN4AUTlZZXm3a92xrBbwpNOZO0ZLX9FoEP9KnqSnIQZ
XaaOec52/7ECtrueWxhbA5DRF6MUYdcU/QWk71/IISaep8806dNl8moLvliPBIB3
9qjvo/Q8B7kicr4iY6aPbsHuUY0PPwisJWMmFpfT7uTaaNVX/49ppdO2ROf4xWGF
8md09NI1/HOlFRV9mFNv8sIDUoLO1/qBurWx7X3h02NQzW7qNXZW5FPQ0/VpgoGy
AUgjskKNXYYsOeevmZTFFcO0Sb13MVYHe1H/uO0jt20g2e6Hjb1hqYGAI7K/zuN2
cNzJLk1oNtqHOgmuSOero9cPBF1V4+uGYgprInhrPrTp+9fXQWQEkwwHY2KElC4z
SWnCFBIGH9BnLUcbeaQiRcb3lRAuwR3jH8uKGNY8fw==
=KZ5S
-----END PGP SIGNATURE-----
On 01/11/2016 09:41 PM, Dominick Grift wrote:
> On Mon, Jan 11, 2016 at 08:07:41PM +0100, Nicolas Iooss wrote:
>> Many systemd services use log_parse_environment and log_open systemd
>> functions to configure the way they log messages. These functions
>> require permissions like reading /proc/cmdline and /proc/1/environ to
>> run properly, and then the service which used them needs to be able to
>> send messages over /run/systemd/journal/socket Unix socket. When
>> connecting to the socket, systemd tries to modify the sending buffer
>> with setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which fails when
>> CAP_NET_ADMIN is not allowed, in which case it falls back to SO_SNDBUF.
>> Therfore CAP_NET_ADMIN does not need to be granted to every systemd
>> service using logging.
>
>> As all these accesses are shared among many systemd services, create an
>> interface to allow them all at once.
>
> I suspect that this is not limited to just systemd services.
I have not yet encountered such services, even though I know some
systemd services which I don't know yet where their policy will be in
refpolicy (systemd-cryptsetup, systemd-modules-load, etc.).
> Another thing i noticed that they (or some of them) also want to
> traverse (or get the attributes of /run/systemd/system)
On my system some services also want to send messages through
/run/systemd/notify unix socket. I thus modified init_domain macro to
allow all its users to search /run/systemd and use notify, and as
/run/systemd/system has the same type as /run/systemd for now, I have
not (yet) noticed what you describe. This part of my policy definitely
needs more work before I can submit a proper patch.
> Anyhow. I probably would keep this seperate from
> logging_send_syslog_msg()
All right.
> You might also be able to use a type attribute here
>
> for example in systemd:
>
> dontaudit parse_log_env_domain_type self:capability net_admin;
> kernel_read_system_state(parse_log_env_domain_type)
> init_read_state(parse_log_env_domain_type)
>
> Then just associate the type attribute with domain types that do the log
> env parsing
>
> logging_send_syslog_msg (mydomain_t)
>
> ifdef(`init_systemd',`
> systemd_parse_log_env(mydomain_t)
> ')
>
> or something...
I need to think more often of introducing attributes where it makes
sense, like here, thanks! I will modify it in my policy, test it, and
send a v2 probably not before the week-end.
> In my personal dssp policy I just allowed all (journald) log clients to just read
> systemd state (my common domains can already read generic proc file by
> default) unconditionally. I also allowed log clients to traverse
> /run/systemd/system.
>
> I basically use a different module for each log daemon instead of
> lumping then all together. It is up to the end-user do pick and choose
> the modules to use
As I am running Arch Linux, all programs from systemd are installed by
default. It seems better for my usecase to have a policy for all of
these programs in one module, that I can avoid loading on my (still
existing) other non-systemd systems.
Anyway, thanks for your feedback!
Nicolas
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Mon, Jan 11, 2016 at 11:06:45PM +0100, Nicolas Iooss wrote:
> On 01/11/2016 09:41 PM, Dominick Grift wrote:
> > On Mon, Jan 11, 2016 at 08:07:41PM +0100, Nicolas Iooss wrote:
> >> Many systemd services use log_parse_environment and log_open systemd
> >> functions to configure the way they log messages. These functions
> >> require permissions like reading /proc/cmdline and /proc/1/environ to
> >> run properly, and then the service which used them needs to be able to
> >> send messages over /run/systemd/journal/socket Unix socket. When
> >> connecting to the socket, systemd tries to modify the sending buffer
> >> with setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which fails when
> >> CAP_NET_ADMIN is not allowed, in which case it falls back to SO_SNDBUF.
> >> Therfore CAP_NET_ADMIN does not need to be granted to every systemd
> >> service using logging.
> >
> >> As all these accesses are shared among many systemd services, create an
> >> interface to allow them all at once.
> >
> > I suspect that this is not limited to just systemd services.
>
> I have not yet encountered such services, even though I know some
> systemd services which I don't know yet where their policy will be in
> refpolicy (systemd-cryptsetup, systemd-modules-load, etc.).
I did not have the "init_read_state($1)" as part of my "logging" macro,
and just yesterday i started confining gnome-session and it wanted to
log to journal. It needed to read systemd state as well.
Thus i suspect that gnome-session is one of the services that falls into
this category.
>
> > Another thing i noticed that they (or some of them) also want to
> > traverse (or get the attributes of /run/systemd/system)
>
> On my system some services also want to send messages through
> /run/systemd/notify unix socket. I thus modified init_domain macro to
> allow all its users to search /run/systemd and use notify, and as
> /run/systemd/system has the same type as /run/systemd for now, I have
> not (yet) noticed what you describe. This part of my policy definitely
> needs more work before I can submit a proper patch.
The notify socket is for
http://www.freedesktop.org/software/systemd/man/sd_notify.html i
believe.
I have a seperate macro for that sd.notify_client_subj_type() (or
something along those lines)
I suspect that the traversing of /run/systemd/system is not related to
notify clients. since that location is for runtime units only
processes that log seems of something want to at least get the attribute
of /run/systemd/system , but also systemctl seems to have this requirement.
>
> > Anyhow. I probably would keep this seperate from
> > logging_send_syslog_msg()
>
> All right.
>
> > You might also be able to use a type attribute here
> >
> > for example in systemd:
> >
> > dontaudit parse_log_env_domain_type self:capability net_admin;
> > kernel_read_system_state(parse_log_env_domain_type)
> > init_read_state(parse_log_env_domain_type)
> >
> > Then just associate the type attribute with domain types that do the log
> > env parsing
> >
> > logging_send_syslog_msg (mydomain_t)
> >
> > ifdef(`init_systemd',`
> > systemd_parse_log_env(mydomain_t)
> > ')
> >
> > or something...
>
> I need to think more often of introducing attributes where it makes
> sense, like here, thanks! I will modify it in my policy, test it, and
> send a v2 probably not before the week-end.
>
Yes, there are considerations though. it is not always a good idea and this is a corner case
Remember that the selinux policy language does not allow you to
associate type attributes with type attributes (unlike CIL), so with the
example above something like: systemd_parse_log_env(application_domain),
will not work. Since that would require that you associate
application_domain with parse_log_env_domain_type.
> > In my personal dssp policy I just allowed all (journald) log clients to just read
> > systemd state (my common domains can already read generic proc file by
> > default) unconditionally. I also allowed log clients to traverse
> > /run/systemd/system.
> >
> > I basically use a different module for each log daemon instead of
> > lumping then all together. It is up to the end-user do pick and choose
> > the modules to use
>
> As I am running Arch Linux, all programs from systemd are installed by
> default. It seems better for my usecase to have a policy for all of
> these programs in one module, that I can avoid loading on my (still
> existing) other non-systemd systems.
>
I understand this sentiment, but systemd is supposed to be modular, just
because you have for example systemd-nspawn/machined installed does not
mean you have to use it, same goes for other components.
There is this ongoing urge in some distributions to rethink how its
packaged, but a few people are opposed to it.
The issue i see with this approach of consolidation is that it sets a
precedent, and when all said and done because of all these little
compromises the policy ends up much less customizable/modular, and
modules are not as tailored as the could be.
To what end? Just so that users do not have to profile anymore?
well that is working because i know of very little people that actually
take time to do profiling and customize their collection of modules when
they enable selinux. (and i do not think that is neccesarily a good thing)
> Anyway, thanks for your feedback!
>
> Nicolas
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
- --
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQGcBAEBCAAGBQJWlLl+AAoJECV0jlU3+UdpYAcL/R15Ui4XoVg/Z5KFF8H76iyu
+1Ipa+MRb2eyyqvr8i2c22qtt+LiToDjwzb8YbtLIpyDW4/UqzcdnTvAtE9SbiIZ
0sI/7XjSOUyeKgmNk8Rom00RCKAaUF/lGxrlAvbNb8ZEmnvYlQT2xAAHRHm+PmCT
upFkVDFJGr6o26t56YUJujncTvIelwpbLflvJpbODia/J1lD4fuRTS2dxVVWPQBp
QmT4wFjfxMLgB3Zzm5RuyeShhrR1A/gSFSIztSaTUUusykxjkHxGrcIxMyjtbCMD
a3Q9gmedwEs6xW+V9y1HC6ABURwgB2mNShwk3XJdX8FLkOJ2Zb53dMceWZLrelyd
harOeDA3spWNl442fFq6vveHaV5p4pu6YVm1/0irOiOoxAtn5V1S98HorhRsIE84
5BL1zW7IFKcYac8nGkKparQdh/X4A3fPm12wpAFjXPZHA1ZbImXVWhe4vBtaCbJb
K9NrlXsosCVmhnJ+rPtbIh/gPsSINzMPek6jOWZV+Q==
=ONov
-----END PGP SIGNATURE-----