All of lore.kernel.org
 help / color / mirror / Atom feed
* [refpolicy] [PATCH] systemd: Add support for --log-target
@ 2016-03-28 14:45 Dominick Grift
  2016-03-30 21:39 ` Nicolas Iooss
  0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2016-03-28 14:45 UTC (permalink / raw)
  To: refpolicy

https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=

see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22

Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
 policy/modules/system/systemd.if | 19 ++++++++++++++++++
 policy/modules/system/systemd.te | 43 +++++++++++++++++++++++++++-------------
 2 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 3cd6670..705cbaa 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2,6 +2,25 @@
 
 ######################################
 ## <summary>
+##   Make the specified type usable as an
+##   log parse environment type.
+## </summary>
+## <param name="domain">
+##   <summary>
+##     Type to be used as a log parse environment type.
+##   </summary>
+## </param>
+#
+interface(`systemd_log_parse_environment',`
+	gen_require(`
+		attribute systemd_log_parse_env_type;
+	')
+
+	typeattribute $1 systemd_log_parse_env_type;
+')
+
+######################################
+## <summary>
 ##   Read systemd_login PID files.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 60a75fa..63f1a9b 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
 ## </desc>
 gen_tunable(systemd_tmpfiles_manage_all, false)
 
+attribute systemd_log_parse_env_type;
+
 type systemd_activate_t;
 type systemd_activate_exec_t;
 init_system_domain(systemd_activate_t, systemd_activate_exec_t)
@@ -113,16 +115,32 @@ init_unit_file(power_unit_t)
 
 ######################################
 #
+# systemd log parse enviroment
+#
+
+dontaudit systemd_log_parse_env_type self:capability net_admin;
+
+kernel_read_system_state(systemd_log_parse_env_type)
+
+dev_write_kmsg(systemd_log_parse_env_type)
+
+term_use_console(systemd_log_parse_env_type)
+
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
+
+######################################
+#
 # Cgroups local policy
 #
 
 kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+kernel_dgram_send(systemd_cgroups_t)
 
 init_stream_connect(systemd_cgroups_t)
 
-logging_send_syslog_msg(systemd_cgroups_t)
-
-kernel_dgram_send(systemd_cgroups_t)
+systemd_log_parse_environment(systemd_cgroups_t)
 
 #######################################
 #
@@ -133,10 +151,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
 
 files_read_etc_files(systemd_locale_t)
 
-logging_send_syslog_msg(systemd_locale_t)
-
 seutil_read_file_contexts(systemd_locale_t)
 
+systemd_log_parse_environment(systemd_locale_t)
+
 optional_policy(`
 	dbus_connect_system_bus(systemd_locale_t)
 	dbus_system_bus_client(systemd_locale_t)
@@ -151,10 +169,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
 
 files_read_etc_files(systemd_hostnamed_t)
 
-logging_send_syslog_msg(systemd_hostnamed_t)
-
 seutil_read_file_contexts(systemd_hostnamed_t)
 
+systemd_log_parse_environment(systemd_hostnamed_t)
+
 optional_policy(`
 	dbus_system_bus_client(systemd_hostnamed_t)
 	dbus_connect_system_bus(systemd_hostnamed_t)
@@ -207,13 +225,10 @@ init_start_all_units(systemd_logind_t)
 init_stop_all_units(systemd_logind_t)
 init_service_status(systemd_logind_t)
 init_service_start(systemd_logind_t)
-# This is for reading /proc/1/cgroup
-init_read_state(systemd_logind_t)
 
 locallogin_read_state(systemd_logind_t)
 
-logging_send_syslog_msg(systemd_logind_t)
-
+systemd_log_parse_environment(systemd_logind_t)
 systemd_start_power_units(systemd_logind_t)
 
 udev_read_db(systemd_logind_t)
@@ -234,7 +249,7 @@ optional_policy(`
 allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
 
-logging_send_syslog_msg(systemd_sessions_t)
+systemd_log_parse_environment(systemd_sessions_t)
 
 #########################################
 #
@@ -260,10 +275,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
-logging_send_syslog_msg(systemd_tmpfiles_t)
-
 seutil_read_file_contexts(systemd_tmpfiles_t)
 
+systemd_log_parse_environment(systemd_tmpfiles_t)
+
 tunable_policy(`systemd_tmpfiles_manage_all',`
 	# systemd-tmpfiles can be configured to manage anything.
 	# have a last-resort option for users to do this.
-- 
2.5.5

^ permalink raw reply related	[flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] systemd: Add support for --log-target
  2016-03-28 14:45 [refpolicy] [PATCH] systemd: Add support for --log-target Dominick Grift
@ 2016-03-30 21:39 ` Nicolas Iooss
  0 siblings, 0 replies; 2+ messages in thread
From: Nicolas Iooss @ 2016-03-30 21:39 UTC (permalink / raw)
  To: refpolicy

Hello,
Thanks for having taken care of this. I have been very busy in the past few
weeks and I focused my "SELinux policy development" work (which I do in my
scarce free time) more on some systemd daemons
(systemd-binfmt, systemd-modules-load, systemd-rfkill...).

This patch looks good to me except that the "dontaudit
systemd_log_parse_env_type self:capability net_admin;" statement might need
a comment like "Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE,
...) failure" (as I already commented in
https://github.com/TresysTechnology/refpolicy/pull/22#issuecomment-177171871
).

Nicolas

On Mon, Mar 28, 2016 at 4:45 PM, Dominick Grift <dac.override@gmail.com>
wrote:

> https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=
>
> see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22
>
> Signed-off-by: Dominick Grift <dac.override@gmail.com>
> ---
>  policy/modules/system/systemd.if | 19 ++++++++++++++++++
>  policy/modules/system/systemd.te | 43
> +++++++++++++++++++++++++++-------------
>  2 files changed, 48 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/system/systemd.if
> b/policy/modules/system/systemd.if
> index 3cd6670..705cbaa 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -2,6 +2,25 @@
>
>  ######################################
>  ## <summary>
> +##   Make the specified type usable as an
> +##   log parse environment type.
> +## </summary>
> +## <param name="domain">
> +##   <summary>
> +##     Type to be used as a log parse environment type.
> +##   </summary>
> +## </param>
> +#
> +interface(`systemd_log_parse_environment',`
> +       gen_require(`
> +               attribute systemd_log_parse_env_type;
> +       ')
> +
> +       typeattribute $1 systemd_log_parse_env_type;
> +')
> +
> +######################################
> +## <summary>
>  ##   Read systemd_login PID files.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/system/systemd.te
> b/policy/modules/system/systemd.te
> index 60a75fa..63f1a9b 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
>  ## </desc>
>  gen_tunable(systemd_tmpfiles_manage_all, false)
>
> +attribute systemd_log_parse_env_type;
> +
>  type systemd_activate_t;
>  type systemd_activate_exec_t;
>  init_system_domain(systemd_activate_t, systemd_activate_exec_t)
> @@ -113,16 +115,32 @@ init_unit_file(power_unit_t)
>
>  ######################################
>  #
> +# systemd log parse enviroment
> +#
> +
> +dontaudit systemd_log_parse_env_type self:capability net_admin;
> +
> +kernel_read_system_state(systemd_log_parse_env_type)
> +
> +dev_write_kmsg(systemd_log_parse_env_type)
> +
> +term_use_console(systemd_log_parse_env_type)
> +
> +init_read_state(systemd_log_parse_env_type)
> +
> +logging_send_syslog_msg(systemd_log_parse_env_type)
> +
> +######################################
> +#
>  # Cgroups local policy
>  #
>
>  kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> +kernel_dgram_send(systemd_cgroups_t)
>
>  init_stream_connect(systemd_cgroups_t)
>
> -logging_send_syslog_msg(systemd_cgroups_t)
> -
> -kernel_dgram_send(systemd_cgroups_t)
> +systemd_log_parse_environment(systemd_cgroups_t)
>
>  #######################################
>  #
> @@ -133,10 +151,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
>
>  files_read_etc_files(systemd_locale_t)
>
> -logging_send_syslog_msg(systemd_locale_t)
> -
>  seutil_read_file_contexts(systemd_locale_t)
>
> +systemd_log_parse_environment(systemd_locale_t)
> +
>  optional_policy(`
>         dbus_connect_system_bus(systemd_locale_t)
>         dbus_system_bus_client(systemd_locale_t)
> @@ -151,10 +169,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
>  files_read_etc_files(systemd_hostnamed_t)
>
> -logging_send_syslog_msg(systemd_hostnamed_t)
> -
>  seutil_read_file_contexts(systemd_hostnamed_t)
>
> +systemd_log_parse_environment(systemd_hostnamed_t)
> +
>  optional_policy(`
>         dbus_system_bus_client(systemd_hostnamed_t)
>         dbus_connect_system_bus(systemd_hostnamed_t)
> @@ -207,13 +225,10 @@ init_start_all_units(systemd_logind_t)
>  init_stop_all_units(systemd_logind_t)
>  init_service_status(systemd_logind_t)
>  init_service_start(systemd_logind_t)
> -# This is for reading /proc/1/cgroup
> -init_read_state(systemd_logind_t)
>
>  locallogin_read_state(systemd_logind_t)
>
> -logging_send_syslog_msg(systemd_logind_t)
> -
> +systemd_log_parse_environment(systemd_logind_t)
>  systemd_start_power_units(systemd_logind_t)
>
>  udev_read_db(systemd_logind_t)
> @@ -234,7 +249,7 @@ optional_policy(`
>  allow systemd_sessions_t systemd_sessions_var_run_t:file
> manage_file_perms;
>  files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> -logging_send_syslog_msg(systemd_sessions_t)
> +systemd_log_parse_environment(systemd_sessions_t)
>
>  #########################################
>  #
> @@ -260,10 +275,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
>  auth_relabel_login_records(systemd_tmpfiles_t)
>  auth_setattr_login_records(systemd_tmpfiles_t)
>
> -logging_send_syslog_msg(systemd_tmpfiles_t)
> -
>  seutil_read_file_contexts(systemd_tmpfiles_t)
>
> +systemd_log_parse_environment(systemd_tmpfiles_t)
> +
>  tunable_policy(`systemd_tmpfiles_manage_all',`
>         # systemd-tmpfiles can be configured to manage anything.
>         # have a last-resort option for users to do this.
> --
> 2.5.5
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20160330/7a5c021d/attachment.html 

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-03-30 21:39 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-03-28 14:45 [refpolicy] [PATCH] systemd: Add support for --log-target Dominick Grift
2016-03-30 21:39 ` Nicolas Iooss

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.