From: guido@trentalancia.com (Guido Trentalancia) Date: Tue, 01 Mar 2011 21:02:01 +0100 Subject: [refpolicy] [PATCH 9/34]: patch for logging in the sysadm role In-Reply-To: <1298489333.22930.14.camel@tesla.lan> References: <1297836459.3205.45.camel@tesla.lan> <4D65176A.3050008@tresys.com> <1298489333.22930.14.camel@tesla.lan> Message-ID: <1299009721.14035.11.camel@tesla.lan> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello Christopher ! Finally I am getting back on this... On Wed, 23/02/2011 at 20.28 +0100, Guido Trentalancia wrote: > On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote: > > On 02/16/11 01:07, Guido Trentalancia wrote: > > > This patch adds some permissions (through interface calls) needed > > > by the sysadm role (in particular logging permissions). > > > > > > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te > > > --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te 2011-01-08 19:07:21.214736932 +0100 > > > +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te 2011-02-15 23:10:39.681408593 +0100 > > > @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t) > > > ubac_fd_exempt(sysadm_t) > > > > > > init_exec(sysadm_t) > > > +init_stream_connect(sysadm_t) > > > > Is this on an upstart system? If so these two rules should probably > > turn into init_telinit() and also that interface updated to handle > > stream sockets. > > I confirm it's an upstart system. At the moment I can't check about the > interface that you suggest to use. If it is equivalent, then that's > fine. Is it a way to compact things ? > > Do you think we should use the upstart boolean here ? > > > > +logging_send_audit_msgs(sysadm_t) > > > > Why is this necessary? > > I am not sure. If I can get some more insight on this I will let you > know later on or tomorrow. > > > > +logging_set_tty_audit(sysadm_t) > > > > > > # Add/remove user home directories > > > userdom_manage_user_home_dirs(sysadm_t) I found the following logs about the logging calls: type=AVC msg=audit(1295734084.283:24): avc: denied { create } for pid=2677 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket type=AVC msg=audit(1295734079.261:20): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket type=AVC msg=audit(1295734079.536:21): avc: denied { create } for pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket type=AVC msg=audit(1295736796.387:81): avc: denied { nlmsg_relay } for pid=2821 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket type=AVC msg=audit(1294619138.946:19637): avc: denied { create } for pid=5744 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket type=AVC msg=audit(1294683721.351:42): avc: denied { write } for pid=2670 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket >From the sysadm_t context, I bet this is something interactive from the console. And I told you already that there are a few problems from the console. It needs to be checked carefully as soon as you have finished to evaluate and commit the patches that I have already submitted. Regards, Guido