https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=
see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/systemd.if | 19 ++++++++++++++++++
policy/modules/system/systemd.te | 43 +++++++++++++++++++++++++++-------------
2 files changed, 48 insertions(+), 14 deletions(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 3cd6670..705cbaa 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2,6 +2,25 @@
######################################
## <summary>
+## Make the specified type usable as an
+## log parse environment type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a log parse environment type.
+## </summary>
+## </param>
+#
+interface(`systemd_log_parse_environment',`
+ gen_require(`
+ attribute systemd_log_parse_env_type;
+ ')
+
+ typeattribute $1 systemd_log_parse_env_type;
+')
+
+######################################
+## <summary>
## Read systemd_login PID files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 60a75fa..63f1a9b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)
+attribute systemd_log_parse_env_type;
+
type systemd_activate_t;
type systemd_activate_exec_t;
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
@@ -113,16 +115,32 @@ init_unit_file(power_unit_t)
######################################
#
+# systemd log parse enviroment
+#
+
+dontaudit systemd_log_parse_env_type self:capability net_admin;
+
+kernel_read_system_state(systemd_log_parse_env_type)
+
+dev_write_kmsg(systemd_log_parse_env_type)
+
+term_use_console(systemd_log_parse_env_type)
+
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
+
+######################################
+#
# Cgroups local policy
#
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+kernel_dgram_send(systemd_cgroups_t)
init_stream_connect(systemd_cgroups_t)
-logging_send_syslog_msg(systemd_cgroups_t)
-
-kernel_dgram_send(systemd_cgroups_t)
+systemd_log_parse_environment(systemd_cgroups_t)
#######################################
#
@@ -133,10 +151,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
files_read_etc_files(systemd_locale_t)
-logging_send_syslog_msg(systemd_locale_t)
-
seutil_read_file_contexts(systemd_locale_t)
+systemd_log_parse_environment(systemd_locale_t)
+
optional_policy(`
dbus_connect_system_bus(systemd_locale_t)
dbus_system_bus_client(systemd_locale_t)
@@ -151,10 +169,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
files_read_etc_files(systemd_hostnamed_t)
-logging_send_syslog_msg(systemd_hostnamed_t)
-
seutil_read_file_contexts(systemd_hostnamed_t)
+systemd_log_parse_environment(systemd_hostnamed_t)
+
optional_policy(`
dbus_system_bus_client(systemd_hostnamed_t)
dbus_connect_system_bus(systemd_hostnamed_t)
@@ -207,13 +225,10 @@ init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_service_status(systemd_logind_t)
init_service_start(systemd_logind_t)
-# This is for reading /proc/1/cgroup
-init_read_state(systemd_logind_t)
locallogin_read_state(systemd_logind_t)
-logging_send_syslog_msg(systemd_logind_t)
-
+systemd_log_parse_environment(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)
udev_read_db(systemd_logind_t)
@@ -234,7 +249,7 @@ optional_policy(`
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
-logging_send_syslog_msg(systemd_sessions_t)
+systemd_log_parse_environment(systemd_sessions_t)
#########################################
#
@@ -260,10 +275,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
-logging_send_syslog_msg(systemd_tmpfiles_t)
-
seutil_read_file_contexts(systemd_tmpfiles_t)
+systemd_log_parse_environment(systemd_tmpfiles_t)
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
--
2.5.5
Hello,
Thanks for having taken care of this. I have been very busy in the past few
weeks and I focused my "SELinux policy development" work (which I do in my
scarce free time) more on some systemd daemons
(systemd-binfmt, systemd-modules-load, systemd-rfkill...).
This patch looks good to me except that the "dontaudit
systemd_log_parse_env_type self:capability net_admin;" statement might need
a comment like "Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE,
...) failure" (as I already commented in
https://github.com/TresysTechnology/refpolicy/pull/22#issuecomment-177171871
).
Nicolas
On Mon, Mar 28, 2016 at 4:45 PM, Dominick Grift <[email protected]>
wrote:
> https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=
>
> see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22
>
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/systemd.if | 19 ++++++++++++++++++
> policy/modules/system/systemd.te | 43
> +++++++++++++++++++++++++++-------------
> 2 files changed, 48 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/system/systemd.if
> b/policy/modules/system/systemd.if
> index 3cd6670..705cbaa 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -2,6 +2,25 @@
>
> ######################################
> ## <summary>
> +## Make the specified type usable as an
> +## log parse environment type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a log parse environment type.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_log_parse_environment',`
> + gen_require(`
> + attribute systemd_log_parse_env_type;
> + ')
> +
> + typeattribute $1 systemd_log_parse_env_type;
> +')
> +
> +######################################
> +## <summary>
> ## Read systemd_login PID files.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/system/systemd.te
> b/policy/modules/system/systemd.te
> index 60a75fa..63f1a9b 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
> ## </desc>
> gen_tunable(systemd_tmpfiles_manage_all, false)
>
> +attribute systemd_log_parse_env_type;
> +
> type systemd_activate_t;
> type systemd_activate_exec_t;
> init_system_domain(systemd_activate_t, systemd_activate_exec_t)
> @@ -113,16 +115,32 @@ init_unit_file(power_unit_t)
>
> ######################################
> #
> +# systemd log parse enviroment
> +#
> +
> +dontaudit systemd_log_parse_env_type self:capability net_admin;
> +
> +kernel_read_system_state(systemd_log_parse_env_type)
> +
> +dev_write_kmsg(systemd_log_parse_env_type)
> +
> +term_use_console(systemd_log_parse_env_type)
> +
> +init_read_state(systemd_log_parse_env_type)
> +
> +logging_send_syslog_msg(systemd_log_parse_env_type)
> +
> +######################################
> +#
> # Cgroups local policy
> #
>
> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> +kernel_dgram_send(systemd_cgroups_t)
>
> init_stream_connect(systemd_cgroups_t)
>
> -logging_send_syslog_msg(systemd_cgroups_t)
> -
> -kernel_dgram_send(systemd_cgroups_t)
> +systemd_log_parse_environment(systemd_cgroups_t)
>
> #######################################
> #
> @@ -133,10 +151,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
>
> files_read_etc_files(systemd_locale_t)
>
> -logging_send_syslog_msg(systemd_locale_t)
> -
> seutil_read_file_contexts(systemd_locale_t)
>
> +systemd_log_parse_environment(systemd_locale_t)
> +
> optional_policy(`
> dbus_connect_system_bus(systemd_locale_t)
> dbus_system_bus_client(systemd_locale_t)
> @@ -151,10 +169,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> files_read_etc_files(systemd_hostnamed_t)
>
> -logging_send_syslog_msg(systemd_hostnamed_t)
> -
> seutil_read_file_contexts(systemd_hostnamed_t)
>
> +systemd_log_parse_environment(systemd_hostnamed_t)
> +
> optional_policy(`
> dbus_system_bus_client(systemd_hostnamed_t)
> dbus_connect_system_bus(systemd_hostnamed_t)
> @@ -207,13 +225,10 @@ init_start_all_units(systemd_logind_t)
> init_stop_all_units(systemd_logind_t)
> init_service_status(systemd_logind_t)
> init_service_start(systemd_logind_t)
> -# This is for reading /proc/1/cgroup
> -init_read_state(systemd_logind_t)
>
> locallogin_read_state(systemd_logind_t)
>
> -logging_send_syslog_msg(systemd_logind_t)
> -
> +systemd_log_parse_environment(systemd_logind_t)
> systemd_start_power_units(systemd_logind_t)
>
> udev_read_db(systemd_logind_t)
> @@ -234,7 +249,7 @@ optional_policy(`
> allow systemd_sessions_t systemd_sessions_var_run_t:file
> manage_file_perms;
> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> -logging_send_syslog_msg(systemd_sessions_t)
> +systemd_log_parse_environment(systemd_sessions_t)
>
> #########################################
> #
> @@ -260,10 +275,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> -logging_send_syslog_msg(systemd_tmpfiles_t)
> -
> seutil_read_file_contexts(systemd_tmpfiles_t)
>
> +systemd_log_parse_environment(systemd_tmpfiles_t)
> +
> tunable_policy(`systemd_tmpfiles_manage_all',`
> # systemd-tmpfiles can be configured to manage anything.
> # have a last-resort option for users to do this.
> --
> 2.5.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160330/7a5c021d/attachment.html