From: harrytaurus2002@hotmail.com (HarryCiao) Date: Thu, 24 Feb 2011 10:44:25 +0000 Subject: [refpolicy] Separate type for AF_UNIX socket created by syslogd_t Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, Since syslogd_t runs at mls_systemhigh, both the /dev/log file and the unix_dgram_socket object bond to it are of mls_systemhigh, rendering that other application domain such as klogd_t running at lower security level failed to "sendto" it. One possible solution is to add syslogd_t to mlstrustedobject attribute since the unix_dgram_socket object inherits the creator's SID by default. However, the side effect is that syslogd_t is also the label for the entire syslogd's procfs entries. The attached two patches are aimed to resolve this problem while eliminating such side effect, by declaring a separate type, syslogd_s_t, for the unix_dgram_socket object created by syslogd_t which alone could be added to the mlstrustedobject attribute. Thanks to Stephen's suggestion security_transition_sid() would be called in socket_sockcreate_sid() to query the relevant type_transition rule say in logging.pp for any newly created socket. After applying these two patches below errors don't exist any more: type=1400 audit(1298535101.654:868): avc: denied { sendto } for pid=385 comm="klogd" path="/dev/log" scontext=system_u:object_r:klogd_t:s0 tcontext=system_u:object_r:syslogd_t:s15:c0.c1023 tclass=unix_dgram_socket BTW, do we have a way to actually display the label for the unix_dgram_socket that bond to /dev/log? Any comments is are greatly appreciated! Thanks a lot! Best regards, Harry -------------- next part -------------- An HTML attachment was scrubbed... URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20110224/fac899ee/attachment-0001.html -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Specify-a-separate-socket-type-for-syslogd_t.patch Type: text/x-patch Size: 3419 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110224/fac899ee/attachment-0002.bin -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Compute-socket-SID.patch Type: text/x-patch Size: 2269 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110224/fac899ee/attachment-0003.bin