selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: Dominick Grift <dac.override@gmail.com>,
	Nicolas Iooss <nicolas.iooss@m4x.org>
Cc: selinux-refpolicy@vger.kernel.org, Russell Coker <russell@coker.com.au>
Subject: Re: [PATCH] systemd related interfaces
Date: Sun, 6 Jan 2019 13:39:33 -0500	[thread overview]
Message-ID: <78e0708d-d6ae-454a-418d-3276a593b996@ieee.org> (raw)
In-Reply-To: <87pnta93ml.fsf@gmail.com>

On 1/5/19 4:49 PM, Dominick Grift wrote:
> Nicolas Iooss <nicolas.iooss@m4x.org> writes:
> 
>> On Sat, Jan 5, 2019 at 8:39 PM Chris PeBenito <pebenito@ieee.org> wrote:
>>>
>>> On 1/4/19 2:51 AM, Russell Coker wrote:
>>>> This patch has interface changes related to systemd support as well as policy
>>>> that uses the new interfaces.
>>>> [...]
>>>> Index: refpolicy-2.20180701/policy/modules/system/logging.te
>>>> ===================================================================
>>>> --- refpolicy-2.20180701.orig/policy/modules/system/logging.te
>>>> +++ refpolicy-2.20180701/policy/modules/system/logging.te
>>>> @@ -541,15 +541,19 @@ ifdef(`init_systemd',`
>>>>        dev_read_urand(syslogd_t)
>>>>        dev_write_kmsg(syslogd_t)
>>>>
>>>> +     domain_getattr_all_domains(syslogd_t)
>>>>        domain_read_all_domains_state(syslogd_t)
>>>>
>>>>        init_create_pid_dirs(syslogd_t)
>>>>        init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
>>>> +     init_getattr(syslogd_t)
>>>>        init_rename_pid_files(syslogd_t)
>>>>        init_delete_pid_files(syslogd_t)
>>>>        init_dgram_send(syslogd_t)
>>>>        init_read_pid_pipes(syslogd_t)
>>>>        init_read_state(syslogd_t)
>>>> +     # for /run/systemd/units/invocation:* links
>>>> +     init_read_unit_links(syslogd_t)
>>>>
>>>>        systemd_manage_journal_files(syslogd_t)
>>>>
>>
>> This change has not been merged and I see the relevant AVC on an Arch
>> Linux virtual machine (using systemd 239.370):
>>
>> type=AVC msg=audit(1546723651.696:2091): avc:  denied  { read } for
>> pid=240 comm="systemd-journal" name="invocation:user@1000.service"
>> dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
>> tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
>> type=AVC msg=audit(1546723651.799:2092): avc:  denied  { read } for
>> pid=240 comm="systemd-journal" name="invocation:dbus.service"
>> dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
>> tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
> 
> This should be ok to allow, afaik only journald reads these
> symlinks.
> 
>>
>> What prevented init_read_unit_links(syslogd_t) from being added?

I missed putting in my reason in the previous email.  Your denial is for 
init_var_run_t:lnk_file access and the change was for 
systemd_unit_t:lnk_file.  What you're seeing makes more sense to me.  As 
far as I can tell, there should be no systemd_unit_t symlinks, and I'd 
prefer to keep it that way, if possible.

-- 
Chris PeBenito

  reply	other threads:[~2019-01-06 19:14 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-04  7:51 [PATCH] systemd related interfaces Russell Coker
2019-01-05 19:18 ` Chris PeBenito
2019-01-05 21:39   ` Nicolas Iooss
2019-01-05 21:49     ` Dominick Grift
2019-01-06 18:39       ` Chris PeBenito [this message]
2019-01-06 22:10         ` Nicolas Iooss
2019-01-07 23:36           ` Chris PeBenito
2019-01-10 23:10             ` Nicolas Iooss

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=78e0708d-d6ae-454a-418d-3276a593b996@ieee.org \
    --to=pebenito@ieee.org \
    --cc=dac.override@gmail.com \
    --cc=nicolas.iooss@m4x.org \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).