From: nicolas.iooss@m4x.org (Nicolas Iooss) Date: Mon, 11 Jan 2016 20:07:41 +0100 Subject: [refpolicy] [RFC PATCH] Add an interface for systemd services logging config Message-ID: <1452539261-17628-1-git-send-email-nicolas.iooss@m4x.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Many systemd services use log_parse_environment and log_open systemd functions to configure the way they log messages. These functions require permissions like reading /proc/cmdline and /proc/1/environ to run properly, and then the service which used them needs to be able to send messages over /run/systemd/journal/socket Unix socket. When connecting to the socket, systemd tries to modify the sending buffer with setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which fails when CAP_NET_ADMIN is not allowed, in which case it falls back to SO_SNDBUF. Therfore CAP_NET_ADMIN does not need to be granted to every systemd service using logging. As all these accesses are shared among many systemd services, create an interface to allow them all at once. --- This is "RFC PATCH" because it might be better to allow these accesses for each service in systemd.te instead. In case it is relevant, here are the relevant AVC denials for systemd-networkd service (which is not handled by refpolicy yet): type=AVC msg=audit(1452497098.233:181): avc: denied { search } for pid=848 comm="systemd-network" name="1" dev="proc" ino=11 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:init_t tclass=dir permissive=1 type=AVC msg=audit(1452497098.233:181): avc: denied { read } for pid=848 comm="systemd-network" name="environ" dev="proc" ino=12 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:init_t tclass=file permissive=1 type=AVC msg=audit(1452497098.233:181): avc: denied { open } for pid=848 comm="systemd-network" path="/proc/1/environ" dev="proc" ino=12 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:init_t tclass=file permissive=1 type=AVC msg=audit(1452497098.233:182): avc: denied { read } for pid=848 comm="systemd-network" name="cmdline" dev="proc" ino=4026531991 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:proc_t tclass=file permissive=1 type=AVC msg=audit(1452497098.233:182): avc: denied { open } for pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc" ino=4026531991 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:proc_t tclass=file permissive=1 type=AVC msg=audit(1452497098.233:183): avc: denied { getattr } for pid=848 comm="systemd-network" path="/proc/cmdline" dev="proc" ino=4026531991 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:proc_t tclass=file permissive=1 type=AVC msg=audit(1452497098.233:184): avc: denied { create } for pid=848 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1452497098.233:185): avc: denied { getopt } for pid=848 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1452497098.233:186): avc: denied { setopt } for pid=848 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1452497098.233:186): avc: denied { net_admin } for pid=848 comm="systemd-network" capability=12 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:systemd_networkd_t tclass=capability permissive=1 type=AVC msg=audit(1452497098.233:187): avc: denied { connect } for pid=848 comm="systemd-network" scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:systemd_networkd_t tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1452497098.233:187): avc: denied { write } for pid=848 comm="systemd-network" name="socket" dev="tmpfs" ino=5214 scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:object_r:devlog_t tclass=sock_file permissive=1 type=AVC msg=audit(1452497098.233:187): avc: denied { sendto } for pid=848 comm="systemd-network" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_networkd_t tcontext=system_u:system_r:syslogd_t tclass=unix_dgram_socket permissive=1 policy/modules/system/systemd.if | 42 ++++++++++++++++++++++++++++++++++++++++ policy/modules/system/systemd.te | 14 +++++++------- 2 files changed, 49 insertions(+), 7 deletions(-) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 3cd667000098..9972f6916597 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -171,3 +171,45 @@ interface(`systemd_start_power_units',` allow $1 power_unit_t:service start; ') + +######################################## +## +## Allow specified domain to parse environment to set up logging. +## +## +##

+## Many systemd services set up their logging by calling +## functions log_parse_environment() and log_open(), which +## source codes are available on +## https://github.com/systemd/systemd/blob/v227/src/basic/log.c +##

+##

+## Function log_parse_environment calls parse_proc_cmdline, +## which reads /proc/cmdline and calls detect_container, +## which reads /proc/1/environ. +##

+##

+## Function log_open may call log_open_syslog, which calls +## create_log_socket, which calls fd_inc_sndbuf, which does +## setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...), which +## requires CAP_NET_ADMIN. Nevertheless if the process does not +## have CAP_NET_ADMIN access, fd_inc_sndbuf falls back to using +## SO_SNDBUF option, which does not require any capability. +##

+## +## +## +## Domain allowed access. +## +## +# +interface(`systemd_parse_log_environment',` + # Allow to read /proc/1/environ + init_read_state($1) + # Allow to read /proc/cmdline + kernel_read_system_state($1) + # Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure + dontaudit $1 self:capability net_admin; + + logging_send_syslog_msg($1) +') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 88924473f7aa..e95d54c4086c 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -120,7 +120,7 @@ kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) init_stream_connect(systemd_cgroups_t) -logging_send_syslog_msg(systemd_cgroups_t) +systemd_parse_log_environment(systemd_cgroups_t) kernel_dgram_send(systemd_cgroups_t) @@ -133,7 +133,7 @@ kernel_read_kernel_sysctls(systemd_locale_t) files_read_etc_files(systemd_locale_t) -logging_send_syslog_msg(systemd_locale_t) +systemd_parse_log_environment(systemd_locale_t) seutil_read_file_contexts(systemd_locale_t) @@ -151,7 +151,7 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t) files_read_etc_files(systemd_hostnamed_t) -logging_send_syslog_msg(systemd_hostnamed_t) +systemd_parse_log_environment(systemd_hostnamed_t) seutil_read_file_contexts(systemd_hostnamed_t) @@ -210,7 +210,7 @@ init_read_state(systemd_logind_t) locallogin_read_state(systemd_logind_t) -logging_send_syslog_msg(systemd_logind_t) +systemd_parse_log_environment(systemd_logind_t) systemd_start_power_units(systemd_logind_t) @@ -232,7 +232,7 @@ optional_policy(` allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) -logging_send_syslog_msg(systemd_sessions_t) +systemd_parse_log_environment(systemd_sessions_t) ######################################### # @@ -258,10 +258,10 @@ auth_manage_login_records(systemd_tmpfiles_t) auth_relabel_login_records(systemd_tmpfiles_t) auth_setattr_login_records(systemd_tmpfiles_t) -logging_send_syslog_msg(systemd_tmpfiles_t) - seutil_read_file_contexts(systemd_tmpfiles_t) +systemd_parse_log_environment(systemd_tmpfiles_t) + tunable_policy(`systemd_tmpfiles_manage_all',` # systemd-tmpfiles can be configured to manage anything. # have a last-resort option for users to do this. -- 2.7.0