From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Sun,  7 Sep 2014 23:28:14 +0200
Subject: [refpolicy] [PATCH v2 5/7] Allow journald to read the kernel ring
	buffer and to use /dev/kmsg
In-Reply-To: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org>
References: <1410125296-26728-1-git-send-email-nicolas.iooss@m4x.org>
Message-ID: <1410125296-26728-5-git-send-email-nicolas.iooss@m4x.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

audit.log shows that journald needs to read the kernel read buffer:

    avc:  denied  { syslog_read } for  pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1

Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/system/logging.te |  3 +++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index e9ef45641b6c..9744d63ea7ad 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2198,6 +2198,24 @@ interface(`dev_write_kmsg',`
 
 ########################################
 ## <summary>
+##	Read and write to the kernel messages device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the ksm devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7121340c71d6..e0d9b5ec7b34 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -406,6 +406,7 @@ kernel_read_messages(syslogd_t)
 kernel_read_vm_sysctls(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+kernel_read_ring_buffer(syslogd_t)
 # /initrd is not umounted before minilog starts
 kernel_dontaudit_search_unlabeled(syslogd_t)
 
@@ -437,6 +438,8 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+# Allow access to /dev/kmsg for journald
+dev_rw_kmsg(syslogd_t)
 
 domain_use_interactive_fds(syslogd_t)
 
-- 
2.1.0