From: vaclav.ovsik@i.cz (=?iso-8859-2?Q?V=E1clav_Ovs=EDk?=)
Date: Mon, 1 Sep 2008 17:41:27 +0200
Subject: [refpolicy] Debian: logrotate_t needs to execute syslogd
	(test	-x syslogd)
In-Reply-To: <48B80C62.3080703@redhat.com>
	<1220020690.22710.42.camel@gorn.columbia.tresys.com>
References: <20080827163048.GA7735@bobek.pm.i.cz>
	<1220020690.22710.42.camel@gorn.columbia.tresys.com>
	<48B80C62.3080703@redhat.com> <20080827163048.GA7735@bobek.pm.i.cz>
	<1220020690.22710.42.camel@gorn.columbia.tresys.com>
Message-ID: <20080901154127.GA29443@bobek.pm.i.cz>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On Fri, Aug 29, 2008 at 10:49:06AM -0400, Daniel J Walsh wrote:
> Christopher J. PeBenito wrote:
> > On Wed, 2008-08-27 at 18:30 +0200, V?clav Ovs?k wrote:
> >> Hi,
> >> while running cron.daily script /etc/cron.daily/sysklogd following
> >> denials appeared:
> >>
> >> Aug 27 13:13:50 sid kernel: [  554.238311] type=1400
> >> audit(1219835630.106:5): avc:  denied  { execute } for  pid=5273
> >> comm="sysklogd" name="syslogd" dev=hda2 ino=28
> >> scontext=unconfined_u:system_r:logrotate_t:s0
> >> tcontext=system_u:object_r:syslogd_exec_t:s0 tclass=file
> >> Aug 27 13:13:50 sid kernel: [  554.243321] type=1300
> >> audit(1219835630.106:5): arch=40000003 syscall=33 success=no exit=-13
> >> a0=9d1c0a8 a1=1 a2=b7ef7ff4 a3=0 items=0 ppid=5161 pid=5273
> >> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> >> fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/bash"
> >> subj=unconfined_u:system_r:logrotate_t:s0 key=(null)
> >>
> >> This is caused by line:
> >>
> >>     test -x /sbin/syslogd || exit 0
> >>
> > 
> >> @@ -133,6 +133,9 @@
> >>  
> >>         # for syslogd-listfiles
> >>         logging_read_syslog_config(logrotate_t)
> >> +
> >> +        # for "test -x /sbin/syslogd"
> >> +       logging_domtrans_syslog(logrotate_t)
> >>  ')
> >>  
> >>  optional_policy(`
> > 
> > No.  Based on the above, this is too much access.  Logging needs an
> > interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
> > 
> logrotate regularly restarts services and sends services signals.
> 
> service abc reload
> service abc restart
> 
> So to work without any avc's you really need to allow logratate to
> transition to initrc_t.  Which is why in Fedora policy we have
> 
> # cjp: why is this needed?
> init_domtrans_script(logrotate_t)


This is even in upstream refpolicy and restarting really works on Debian.
Restart is done at the end of script /etc/cron.daily/sysklogd by running:

...
  # Restart syslogd
  #
  /etc/init.d/sysklogd reload-or-restart > /dev/null

So through initrc_t like in Fedora.

The problem is sanity checks at start of script. These contain
"test -x /sbin/syslogd". Script exits if this test fails (SE Linux
Enforced mode).



On Fri, Aug 29, 2008 at 10:38:10AM -0400, Christopher J. PeBenito wrote:
...

> No.  Based on the above, this is too much access.  Logging needs an
> interface like corecmd_check_exec_shell(), but for syslogd_exec_t.
> 
> -- 
> Chris PeBenito
> Tresys Technology, LLC
> (410) 290-1411 x150

Thank you for the great example. A new patch based on it is attached. It
can be applied to current HEAD of refpolicy.

Regards
-- 
Zito
-------------- next part --------------
Index: selinux-policy-src/policy/modules/admin/logrotate.te
===================================================================
--- selinux-policy-src.orig/policy/modules/admin/logrotate.te	2008-08-27 17:27:48.000000000 +0200
+++ selinux-policy-src/policy/modules/admin/logrotate.te	2008-09-01 17:11:30.000000000 +0200
@@ -137,6 +137,9 @@
 
 	# for syslogd-listfiles
 	logging_read_syslog_config(logrotate_t)
+
+        # for "test -x /sbin/syslogd"
+	logging_check_exec_syslog(logrotate_t)
 ')
 
 optional_policy(`
Index: selinux-policy-src/policy/modules/system/logging.if
===================================================================
--- selinux-policy-src.orig/policy/modules/system/logging.if	2008-09-01 17:06:01.000000000 +0200
+++ selinux-policy-src/policy/modules/system/logging.if	2008-09-01 17:23:09.000000000 +0200
@@ -283,6 +283,26 @@
 
 ########################################
 ## <summary>
+##	Check if syslogd is executable (DAC-wise).
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_check_exec_syslog',`
+	gen_require(`
+		syslogd_exec_t;
+	')
+
+	corecmd_list_bin($1)
+	corecmd_read_bin_symlinks($1)
+	allow $1 syslogd_exec_t:file execute;
+')
+
+########################################
+## <summary>
 ##	Execute syslogd in the syslog domain.
 ## </summary>
 ## <param name="domain">