From: nicolas.iooss@m4x.org (Nicolas Iooss)
Date: Wed, 30 Mar 2016 23:39:14 +0200
Subject: [refpolicy] [PATCH] systemd: Add support for --log-target
In-Reply-To: <1459176310-11343-1-git-send-email-dac.override@gmail.com>
References: <1459176310-11343-1-git-send-email-dac.override@gmail.com>
Message-ID: <CAJfZ7==rCrMdDBt-hsOJX8_4AQrXPpjFDMt+Z8kEQNzSy51rbQ@mail.gmail.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,
Thanks for having taken care of this. I have been very busy in the past few
weeks and I focused my "SELinux policy development" work (which I do in my
scarce free time) more on some systemd daemons
(systemd-binfmt, systemd-modules-load, systemd-rfkill...).

This patch looks good to me except that the "dontaudit
systemd_log_parse_env_type self:capability net_admin;" statement might need
a comment like "Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE,
...) failure" (as I already commented in
https://github.com/TresysTechnology/refpolicy/pull/22#issuecomment-177171871
).

Nicolas

On Mon, Mar 28, 2016 at 4:45 PM, Dominick Grift <dac.override@gmail.com>
wrote:

> https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=
>
> see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22
>
> Signed-off-by: Dominick Grift <dac.override@gmail.com>
> ---
>  policy/modules/system/systemd.if | 19 ++++++++++++++++++
>  policy/modules/system/systemd.te | 43
> +++++++++++++++++++++++++++-------------
>  2 files changed, 48 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/system/systemd.if
> b/policy/modules/system/systemd.if
> index 3cd6670..705cbaa 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -2,6 +2,25 @@
>
>  ######################################
>  ## <summary>
> +##   Make the specified type usable as an
> +##   log parse environment type.
> +## </summary>
> +## <param name="domain">
> +##   <summary>
> +##     Type to be used as a log parse environment type.
> +##   </summary>
> +## </param>
> +#
> +interface(`systemd_log_parse_environment',`
> +       gen_require(`
> +               attribute systemd_log_parse_env_type;
> +       ')
> +
> +       typeattribute $1 systemd_log_parse_env_type;
> +')
> +
> +######################################
> +## <summary>
>  ##   Read systemd_login PID files.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/system/systemd.te
> b/policy/modules/system/systemd.te
> index 60a75fa..63f1a9b 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
>  ## </desc>
>  gen_tunable(systemd_tmpfiles_manage_all, false)
>
> +attribute systemd_log_parse_env_type;
> +
>  type systemd_activate_t;
>  type systemd_activate_exec_t;
>  init_system_domain(systemd_activate_t, systemd_activate_exec_t)
> @@ -113,16 +115,32 @@ init_unit_file(power_unit_t)
>
>  ######################################
>  #
> +# systemd log parse enviroment
> +#
> +
> +dontaudit systemd_log_parse_env_type self:capability net_admin;
> +
> +kernel_read_system_state(systemd_log_parse_env_type)
> +
> +dev_write_kmsg(systemd_log_parse_env_type)
> +
> +term_use_console(systemd_log_parse_env_type)
> +
> +init_read_state(systemd_log_parse_env_type)
> +
> +logging_send_syslog_msg(systemd_log_parse_env_type)
> +
> +######################################
> +#
>  # Cgroups local policy
>  #
>
>  kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> +kernel_dgram_send(systemd_cgroups_t)
>
>  init_stream_connect(systemd_cgroups_t)
>
> -logging_send_syslog_msg(systemd_cgroups_t)
> -
> -kernel_dgram_send(systemd_cgroups_t)
> +systemd_log_parse_environment(systemd_cgroups_t)
>
>  #######################################
>  #
> @@ -133,10 +151,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
>
>  files_read_etc_files(systemd_locale_t)
>
> -logging_send_syslog_msg(systemd_locale_t)
> -
>  seutil_read_file_contexts(systemd_locale_t)
>
> +systemd_log_parse_environment(systemd_locale_t)
> +
>  optional_policy(`
>         dbus_connect_system_bus(systemd_locale_t)
>         dbus_system_bus_client(systemd_locale_t)
> @@ -151,10 +169,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
>  files_read_etc_files(systemd_hostnamed_t)
>
> -logging_send_syslog_msg(systemd_hostnamed_t)
> -
>  seutil_read_file_contexts(systemd_hostnamed_t)
>
> +systemd_log_parse_environment(systemd_hostnamed_t)
> +
>  optional_policy(`
>         dbus_system_bus_client(systemd_hostnamed_t)
>         dbus_connect_system_bus(systemd_hostnamed_t)
> @@ -207,13 +225,10 @@ init_start_all_units(systemd_logind_t)
>  init_stop_all_units(systemd_logind_t)
>  init_service_status(systemd_logind_t)
>  init_service_start(systemd_logind_t)
> -# This is for reading /proc/1/cgroup
> -init_read_state(systemd_logind_t)
>
>  locallogin_read_state(systemd_logind_t)
>
> -logging_send_syslog_msg(systemd_logind_t)
> -
> +systemd_log_parse_environment(systemd_logind_t)
>  systemd_start_power_units(systemd_logind_t)
>
>  udev_read_db(systemd_logind_t)
> @@ -234,7 +249,7 @@ optional_policy(`
>  allow systemd_sessions_t systemd_sessions_var_run_t:file
> manage_file_perms;
>  files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> -logging_send_syslog_msg(systemd_sessions_t)
> +systemd_log_parse_environment(systemd_sessions_t)
>
>  #########################################
>  #
> @@ -260,10 +275,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
>  auth_relabel_login_records(systemd_tmpfiles_t)
>  auth_setattr_login_records(systemd_tmpfiles_t)
>
> -logging_send_syslog_msg(systemd_tmpfiles_t)
> -
>  seutil_read_file_contexts(systemd_tmpfiles_t)
>
> +systemd_log_parse_environment(systemd_tmpfiles_t)
> +
>  tunable_policy(`systemd_tmpfiles_manage_all',`
>         # systemd-tmpfiles can be configured to manage anything.
>         # have a last-resort option for users to do this.
> --
> 2.5.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160330/7a5c021d/attachment.html