SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: "Sugar, David" <dsugar@tresys.com>
To: Russell Coker <russell@coker.com.au>
Cc: "selinux-refpolicy@vger.kernel.org"  <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] Add kernel_dgram_send() into logging_send_syslog_msg()
Date: Wed, 10 Apr 2019 01:07:29 +0000
Message-ID: <460dd8d3-d9a8-3f1f-2d2d-bb823f92abb1@tresys.com> (raw)
In-Reply-To: <2392740.Zyo9vk4oGf@liv>



On 4/9/19 9:00 PM, Russell Coker wrote:
> Why does the kernel need such access?

I'm not sure I understand your question.  Are you asking why the 
kernel_dgram_send() access is needed by syslog?  This is because many 
domains send messages to the journal.

I have been adding this interface as needed throughout the policy as I'm 
seeing issues.  It was suggested to move this interface use into 
logging_send_syslog_msg as that is the same concept and most domains log 
already.

This patch is mostly removing uses of kernel_dgram_send and just adding 
it one place.

> 
> On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote:
>> This patch is based on comments from previous a patch to
>> remove the many uses of kernel_dgram_send() and incorporate
>> it into logging_send_syslog_msg().
>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/admin/aide.te       | 1 -
>>   policy/modules/admin/usermanage.te | 5 -----
>>   policy/modules/services/dbus.te    | 3 ---
>>   policy/modules/system/authlogin.te | 5 -----
>>   policy/modules/system/init.if      | 2 --
>>   policy/modules/system/init.te      | 3 ---
>>   policy/modules/system/logging.if   | 2 ++
>>   policy/modules/system/logging.te   | 4 ----
>>   policy/modules/system/systemd.te   | 5 -----
>>   policy/modules/system/udev.te      | 1 -
>>   10 files changed, 2 insertions(+), 29 deletions(-)
>>
>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>> index 30deba09..f5e64a86 100644
>> --- a/policy/modules/admin/aide.te
>> +++ b/policy/modules/admin/aide.te
>> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>>   files_read_all_files(aide_t)
>>   files_read_all_symlinks(aide_t)
>>   
>> -kernel_dgram_send(aide_t)
>>   kernel_read_crypto_sysctls(aide_t)
>>   
>>   logging_send_audit_msgs(aide_t)
>> diff --git a/policy/modules/admin/usermanage.te
>> b/policy/modules/admin/usermanage.te
>   index 5753741b..4a10bf84 100644
>> --- a/policy/modules/admin/usermanage.te
>> +++ b/policy/modules/admin/usermanage.te
>> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t)
>>   # on user home dir
>>   userdom_dontaudit_search_user_home_content(passwd_t)
>>   
>> -ifdef(`init_systemd',`
>> -	# for journald /dev/log
>> -	kernel_dgram_send(passwd_t)
>> -')
>> -
>>   optional_policy(`
>>   	nscd_run(passwd_t, passwd_roles)
>>   ')
>> diff --git a/policy/modules/services/dbus.te
>> b/policy/modules/services/dbus.te
>   index 9c085876..c05370dd 100644
>> --- a/policy/modules/services/dbus.te
>> +++ b/policy/modules/services/dbus.te
>> @@ -162,9 +162,6 @@ ifdef(`init_systemd', `
>>   	# for /run/systemd/dynamic-uid/
>>   	init_list_pids(system_dbusd_t)
>>   	init_read_runtime_symlinks(system_dbusd_t)
>> -
>> -	# for journald /dev/log
>> -	kernel_dgram_send(system_dbusd_t)
>>   ')
>>   
>>   optional_policy(`
>> diff --git a/policy/modules/system/authlogin.te
>> b/policy/modules/system/authlogin.te
>   index 28f74bac..2cf86952 100644
>> --- a/policy/modules/system/authlogin.te
>> +++ b/policy/modules/system/authlogin.te
>> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',`
>>   	')
>>   ')
>>   
>> -ifdef(`init_systemd',`
>> -	# for journald /dev/log
>> -	kernel_dgram_send(chkpwd_t)
>> -')
>> -
>>   optional_policy(`
>>   	# apache leaks file descriptors
>>   	apache_dontaudit_rw_tcp_sockets(chkpwd_t)
>> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
>> index fef2c88e..00bd4991 100644
>> --- a/policy/modules/system/init.if
>> +++ b/policy/modules/system/init.if
>> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',`
>>   
>>   	ifdef(`init_systemd',`
>>   		init_domain($1, $2)
>> -		# this may be because of late labelling
>> -		kernel_dgram_send($1)
>>   
>>   		allow $1 init_t:unix_dgram_socket sendto;
>>   	')
>> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
>> index a12d151b..3e8eb2da 100644
>> --- a/policy/modules/system/init.te
>> +++ b/policy/modules/system/init.te
>> @@ -272,7 +272,6 @@ ifdef(`init_systemd',`
>>   
>>   	kernel_dyntrans_to(init_t)
>>   	kernel_read_network_state(init_t)
>> -	kernel_dgram_send(init_t)
>>   	kernel_stream_connect(init_t)
>>   	kernel_getattr_proc(init_t)
>>   	kernel_read_fs_sysctls(init_t)
>> @@ -969,8 +968,6 @@ ifdef(`init_systemd',`
>>   	allow initrc_t systemdunit:service reload;
>>   	allow initrc_t init_script_file_type:service { stop start status reload
>> };
>   
>> -	kernel_dgram_send(initrc_t)
>> -
>>   	# run systemd misc initializations
>>   	# in the initrc_t domain, as would be
>>   	# done in traditional sysvinit/upstart.
>> diff --git a/policy/modules/system/logging.if
>> b/policy/modules/system/logging.if
>   index 7b7644f7..1f696b7f 100644
>> --- a/policy/modules/system/logging.if
>> +++ b/policy/modules/system/logging.if
>> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',`
>>   	ifdef(`init_systemd',`
>>   		# Allow systemd-journald to check whether the process died
>>   		allow syslogd_t $1:process signull;
>> +
>> +		kernel_dgram_send($1)
>>   	')
>>   ')
>>   
>> diff --git a/policy/modules/system/logging.te
>> b/policy/modules/system/logging.te
>   index 0c5be1cd..02f268ea 100644
>> --- a/policy/modules/system/logging.te
>> +++ b/policy/modules/system/logging.te
>> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t)
>>   
>>   sysnet_dns_name_resolve(audisp_t)
>>   
>> -ifdef(`init_systemd',`
>> -	kernel_dgram_send(audisp_t)
>> -')
>> -
>>   optional_policy(`
>>   	dbus_system_bus_client(audisp_t)
>>   ')
>> diff --git a/policy/modules/system/systemd.te
>> b/policy/modules/system/systemd.te
>   index f6455f6f..cf9241c0 100644
>> --- a/policy/modules/system/systemd.te
>> +++ b/policy/modules/system/systemd.te
>> @@ -266,7 +266,6 @@ systemd_log_parse_environment(systemd_gpt_generator_t)
>>   allow systemd_cgroups_t self:capability net_admin;
>>   
>>   kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
>> -kernel_dgram_send(systemd_cgroups_t)
>>   # for /proc/cmdline
>>   kernel_read_system_state(systemd_cgroups_t)
>>   
>> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t,
>> systemd_networkd_var_run_t, systemd_netw
>> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t,
>> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t,
>> systemd_networkd_var_run_t, systemd_networkd_var_run_t)
>> -kernel_dgram_send(systemd_networkd_t)
>>   kernel_read_system_state(systemd_networkd_t)
>>   kernel_read_kernel_sysctls(systemd_networkd_t)
>>   kernel_read_network_state(systemd_networkd_t)
>> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t)
>>   init_dgram_send(systemd_networkd_t)
>>   init_read_state(systemd_networkd_t)
>>   
>> -logging_send_syslog_msg(systemd_networkd_t)
>> -
>>   miscfiles_read_localization(systemd_networkd_t)
>>   
>>   sysnet_read_config(systemd_networkd_t)
>> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t,
>> systemd_resolved_var_run_t, dir)
>   
>>   dev_read_sysfs(systemd_resolved_t)
>>   
>> -kernel_dgram_send(systemd_resolved_t)
>>   kernel_read_crypto_sysctls(systemd_resolved_t)
>>   kernel_read_kernel_sysctls(systemd_resolved_t)
>>   kernel_read_net_sysctls(systemd_resolved_t)
>> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
>> index ff564280..f00de30d 100644
>> --- a/policy/modules/system/udev.te
>> +++ b/policy/modules/system/udev.te
>> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t)
>>   kernel_read_kernel_sysctls(udev_t)
>>   kernel_rw_hotplug_sysctls(udev_t)
>>   kernel_rw_unix_dgram_sockets(udev_t)
>> -kernel_dgram_send(udev_t)
>>   kernel_signal(udev_t)
>>   kernel_search_debugfs(udev_t)
>>   kernel_search_key(udev_t)
>> -- 
>> 2.20.1
>>
> 

  reply index

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-09 15:09 Sugar, David
2019-04-10  1:00 ` Russell Coker
2019-04-10  1:07   ` Sugar, David [this message]
2019-04-10  1:39     ` Russell Coker
2019-04-10 14:16       ` Sugar, David
2019-04-12 11:54       ` Chris PeBenito
2019-04-13  5:35         ` Russell Coker
2019-04-13 15:36           ` Sugar, David
2019-04-13 15:40             ` Russell Coker

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=460dd8d3-d9a8-3f1f-2d2d-bb823f92abb1@tresys.com \
    --to=dsugar@tresys.com \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox