From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Sun, 7 Sep 2014 23:28:14 +0200 Subject: [refpolicy] [PATCH v2 5/7] Allow journald to read the kernel ring buffer and to use /dev/kmsg In-Reply-To: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org> References: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <1410125296-26728-5-git-send-email-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com audit.log shows that journald needs to read the kernel read buffer: avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1 Moreover journald uses RW access to /dev/kmsg, according to its code: http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394 --- policy/modules/kernel/devices.if | 18 ++++++++++++++++++ policy/modules/system/logging.te | 3 +++ 2 files changed, 21 insertions(+) diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if index e9ef45641b6c..9744d63ea7ad 100644 --- a/policy/modules/kernel/devices.if +++ b/policy/modules/kernel/devices.if @@ -2198,6 +2198,24 @@ interface(`dev_write_kmsg',` ######################################## ## +## Read and write to the kernel messages device +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_rw_kmsg',` + gen_require(` + type device_t, kmsg_device_t; + ') + + rw_chr_files_pattern($1, device_t, kmsg_device_t) +') + +######################################## +## ## Get the attributes of the ksm devices. ## ## diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 7121340c71d6..e0d9b5ec7b34 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -406,6 +406,7 @@ kernel_read_messages(syslogd_t) kernel_read_vm_sysctls(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) +kernel_read_ring_buffer(syslogd_t) # /initrd is not umounted before minilog starts kernel_dontaudit_search_unlabeled(syslogd_t) @@ -437,6 +438,8 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +# Allow access to /dev/kmsg for journald +dev_rw_kmsg(syslogd_t) domain_use_interactive_fds(syslogd_t) -- 2.1.0