This patch is based on comments from previous a patch to remove the many uses of kernel_dgram_send() and incorporate it into logging_send_syslog_msg(). Signed-off-by: Dave Sugar <dsugar@tresys.com> --- policy/modules/admin/aide.te | 1 - policy/modules/admin/usermanage.te | 5 ----- policy/modules/services/dbus.te | 3 --- policy/modules/system/authlogin.te | 5 ----- policy/modules/system/init.if | 2 -- policy/modules/system/init.te | 3 --- policy/modules/system/logging.if | 2 ++ policy/modules/system/logging.te | 4 ---- policy/modules/system/systemd.te | 5 ----- policy/modules/system/udev.te | 1 - 10 files changed, 2 insertions(+), 29 deletions(-) diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te index 30deba09..f5e64a86 100644 --- a/policy/modules/admin/aide.te +++ b/policy/modules/admin/aide.te @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file) files_read_all_files(aide_t) files_read_all_symlinks(aide_t) -kernel_dgram_send(aide_t) kernel_read_crypto_sysctls(aide_t) logging_send_audit_msgs(aide_t) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te index 5753741b..4a10bf84 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t) # on user home dir userdom_dontaudit_search_user_home_content(passwd_t) -ifdef(`init_systemd',` - # for journald /dev/log - kernel_dgram_send(passwd_t) -') - optional_policy(` nscd_run(passwd_t, passwd_roles) ') diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 9c085876..c05370dd 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -162,9 +162,6 @@ ifdef(`init_systemd', ` # for /run/systemd/dynamic-uid/ init_list_pids(system_dbusd_t) init_read_runtime_symlinks(system_dbusd_t) - - # for journald /dev/log - kernel_dgram_send(system_dbusd_t) ') optional_policy(` diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 28f74bac..2cf86952 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',` ') ') -ifdef(`init_systemd',` - # for journald /dev/log - kernel_dgram_send(chkpwd_t) -') - optional_policy(` # apache leaks file descriptors apache_dontaudit_rw_tcp_sockets(chkpwd_t) diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if index fef2c88e..00bd4991 100644 --- a/policy/modules/system/init.if +++ b/policy/modules/system/init.if @@ -306,8 +306,6 @@ interface(`init_daemon_domain',` ifdef(`init_systemd',` init_domain($1, $2) - # this may be because of late labelling - kernel_dgram_send($1) allow $1 init_t:unix_dgram_socket sendto; ') diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te index a12d151b..3e8eb2da 100644 --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -272,7 +272,6 @@ ifdef(`init_systemd',` kernel_dyntrans_to(init_t) kernel_read_network_state(init_t) - kernel_dgram_send(init_t) kernel_stream_connect(init_t) kernel_getattr_proc(init_t) kernel_read_fs_sysctls(init_t) @@ -969,8 +968,6 @@ ifdef(`init_systemd',` allow initrc_t systemdunit:service reload; allow initrc_t init_script_file_type:service { stop start status reload }; - kernel_dgram_send(initrc_t) - # run systemd misc initializations # in the initrc_t domain, as would be # done in traditional sysvinit/upstart. diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 7b7644f7..1f696b7f 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',` ifdef(`init_systemd',` # Allow systemd-journald to check whether the process died allow syslogd_t $1:process signull; + + kernel_dgram_send($1) ') ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 0c5be1cd..02f268ea 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t) sysnet_dns_name_resolve(audisp_t) -ifdef(`init_systemd',` - kernel_dgram_send(audisp_t) -') - optional_policy(` dbus_system_bus_client(audisp_t) ') diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index f6455f6f..cf9241c0 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -266,7 +266,6 @@ systemd_log_parse_environment(systemd_gpt_generator_t) allow systemd_cgroups_t self:capability net_admin; kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) -kernel_dgram_send(systemd_cgroups_t) # for /proc/cmdline kernel_read_system_state(systemd_cgroups_t) @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_netw manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, systemd_networkd_var_run_t) -kernel_dgram_send(systemd_networkd_t) kernel_read_system_state(systemd_networkd_t) kernel_read_kernel_sysctls(systemd_networkd_t) kernel_read_network_state(systemd_networkd_t) @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t) init_dgram_send(systemd_networkd_t) init_read_state(systemd_networkd_t) -logging_send_syslog_msg(systemd_networkd_t) - miscfiles_read_localization(systemd_networkd_t) sysnet_read_config(systemd_networkd_t) @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t, systemd_resolved_var_run_t, dir) dev_read_sysfs(systemd_resolved_t) -kernel_dgram_send(systemd_resolved_t) kernel_read_crypto_sysctls(systemd_resolved_t) kernel_read_kernel_sysctls(systemd_resolved_t) kernel_read_net_sysctls(systemd_resolved_t) diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te index ff564280..f00de30d 100644 --- a/policy/modules/system/udev.te +++ b/policy/modules/system/udev.te @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t) kernel_read_kernel_sysctls(udev_t) kernel_rw_hotplug_sysctls(udev_t) kernel_rw_unix_dgram_sockets(udev_t) -kernel_dgram_send(udev_t) kernel_signal(udev_t) kernel_search_debugfs(udev_t) kernel_search_key(udev_t) -- 2.20.1
Why does the kernel need such access? On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote: > This patch is based on comments from previous a patch to > remove the many uses of kernel_dgram_send() and incorporate > it into logging_send_syslog_msg(). > > Signed-off-by: Dave Sugar <dsugar@tresys.com> > --- > policy/modules/admin/aide.te | 1 - > policy/modules/admin/usermanage.te | 5 ----- > policy/modules/services/dbus.te | 3 --- > policy/modules/system/authlogin.te | 5 ----- > policy/modules/system/init.if | 2 -- > policy/modules/system/init.te | 3 --- > policy/modules/system/logging.if | 2 ++ > policy/modules/system/logging.te | 4 ---- > policy/modules/system/systemd.te | 5 ----- > policy/modules/system/udev.te | 1 - > 10 files changed, 2 insertions(+), 29 deletions(-) > > diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te > index 30deba09..f5e64a86 100644 > --- a/policy/modules/admin/aide.te > +++ b/policy/modules/admin/aide.te > @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file) > files_read_all_files(aide_t) > files_read_all_symlinks(aide_t) > > -kernel_dgram_send(aide_t) > kernel_read_crypto_sysctls(aide_t) > > logging_send_audit_msgs(aide_t) > diff --git a/policy/modules/admin/usermanage.te > b/policy/modules/admin/usermanage.te index 5753741b..4a10bf84 100644 > --- a/policy/modules/admin/usermanage.te > +++ b/policy/modules/admin/usermanage.te > @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t) > # on user home dir > userdom_dontaudit_search_user_home_content(passwd_t) > > -ifdef(`init_systemd',` > - # for journald /dev/log > - kernel_dgram_send(passwd_t) > -') > - > optional_policy(` > nscd_run(passwd_t, passwd_roles) > ') > diff --git a/policy/modules/services/dbus.te > b/policy/modules/services/dbus.te index 9c085876..c05370dd 100644 > --- a/policy/modules/services/dbus.te > +++ b/policy/modules/services/dbus.te > @@ -162,9 +162,6 @@ ifdef(`init_systemd', ` > # for /run/systemd/dynamic-uid/ > init_list_pids(system_dbusd_t) > init_read_runtime_symlinks(system_dbusd_t) > - > - # for journald /dev/log > - kernel_dgram_send(system_dbusd_t) > ') > > optional_policy(` > diff --git a/policy/modules/system/authlogin.te > b/policy/modules/system/authlogin.te index 28f74bac..2cf86952 100644 > --- a/policy/modules/system/authlogin.te > +++ b/policy/modules/system/authlogin.te > @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',` > ') > ') > > -ifdef(`init_systemd',` > - # for journald /dev/log > - kernel_dgram_send(chkpwd_t) > -') > - > optional_policy(` > # apache leaks file descriptors > apache_dontaudit_rw_tcp_sockets(chkpwd_t) > diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if > index fef2c88e..00bd4991 100644 > --- a/policy/modules/system/init.if > +++ b/policy/modules/system/init.if > @@ -306,8 +306,6 @@ interface(`init_daemon_domain',` > > ifdef(`init_systemd',` > init_domain($1, $2) > - # this may be because of late labelling > - kernel_dgram_send($1) > > allow $1 init_t:unix_dgram_socket sendto; > ') > diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te > index a12d151b..3e8eb2da 100644 > --- a/policy/modules/system/init.te > +++ b/policy/modules/system/init.te > @@ -272,7 +272,6 @@ ifdef(`init_systemd',` > > kernel_dyntrans_to(init_t) > kernel_read_network_state(init_t) > - kernel_dgram_send(init_t) > kernel_stream_connect(init_t) > kernel_getattr_proc(init_t) > kernel_read_fs_sysctls(init_t) > @@ -969,8 +968,6 @@ ifdef(`init_systemd',` > allow initrc_t systemdunit:service reload; > allow initrc_t init_script_file_type:service { stop start status reload > }; > - kernel_dgram_send(initrc_t) > - > # run systemd misc initializations > # in the initrc_t domain, as would be > # done in traditional sysvinit/upstart. > diff --git a/policy/modules/system/logging.if > b/policy/modules/system/logging.if index 7b7644f7..1f696b7f 100644 > --- a/policy/modules/system/logging.if > +++ b/policy/modules/system/logging.if > @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',` > ifdef(`init_systemd',` > # Allow systemd-journald to check whether the process died > allow syslogd_t $1:process signull; > + > + kernel_dgram_send($1) > ') > ') > > diff --git a/policy/modules/system/logging.te > b/policy/modules/system/logging.te index 0c5be1cd..02f268ea 100644 > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t) > > sysnet_dns_name_resolve(audisp_t) > > -ifdef(`init_systemd',` > - kernel_dgram_send(audisp_t) > -') > - > optional_policy(` > dbus_system_bus_client(audisp_t) > ') > diff --git a/policy/modules/system/systemd.te > b/policy/modules/system/systemd.te index f6455f6f..cf9241c0 100644 > --- a/policy/modules/system/systemd.te > +++ b/policy/modules/system/systemd.te > @@ -266,7 +266,6 @@ systemd_log_parse_environment(systemd_gpt_generator_t) > allow systemd_cgroups_t self:capability net_admin; > > kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) > -kernel_dgram_send(systemd_cgroups_t) > # for /proc/cmdline > kernel_read_system_state(systemd_cgroups_t) > > @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t, > systemd_networkd_var_run_t, systemd_netw > manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, > systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t, > systemd_networkd_var_run_t, systemd_networkd_var_run_t) > -kernel_dgram_send(systemd_networkd_t) > kernel_read_system_state(systemd_networkd_t) > kernel_read_kernel_sysctls(systemd_networkd_t) > kernel_read_network_state(systemd_networkd_t) > @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t) > init_dgram_send(systemd_networkd_t) > init_read_state(systemd_networkd_t) > > -logging_send_syslog_msg(systemd_networkd_t) > - > miscfiles_read_localization(systemd_networkd_t) > > sysnet_read_config(systemd_networkd_t) > @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t, > systemd_resolved_var_run_t, dir) > dev_read_sysfs(systemd_resolved_t) > > -kernel_dgram_send(systemd_resolved_t) > kernel_read_crypto_sysctls(systemd_resolved_t) > kernel_read_kernel_sysctls(systemd_resolved_t) > kernel_read_net_sysctls(systemd_resolved_t) > diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te > index ff564280..f00de30d 100644 > --- a/policy/modules/system/udev.te > +++ b/policy/modules/system/udev.te > @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t) > kernel_read_kernel_sysctls(udev_t) > kernel_rw_hotplug_sysctls(udev_t) > kernel_rw_unix_dgram_sockets(udev_t) > -kernel_dgram_send(udev_t) > kernel_signal(udev_t) > kernel_search_debugfs(udev_t) > kernel_search_key(udev_t) > -- > 2.20.1 > -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 4/9/19 9:00 PM, Russell Coker wrote: > Why does the kernel need such access? I'm not sure I understand your question. Are you asking why the kernel_dgram_send() access is needed by syslog? This is because many domains send messages to the journal. I have been adding this interface as needed throughout the policy as I'm seeing issues. It was suggested to move this interface use into logging_send_syslog_msg as that is the same concept and most domains log already. This patch is mostly removing uses of kernel_dgram_send and just adding it one place. > > On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote: >> This patch is based on comments from previous a patch to >> remove the many uses of kernel_dgram_send() and incorporate >> it into logging_send_syslog_msg(). >> >> Signed-off-by: Dave Sugar <dsugar@tresys.com> >> --- >> policy/modules/admin/aide.te | 1 - >> policy/modules/admin/usermanage.te | 5 ----- >> policy/modules/services/dbus.te | 3 --- >> policy/modules/system/authlogin.te | 5 ----- >> policy/modules/system/init.if | 2 -- >> policy/modules/system/init.te | 3 --- >> policy/modules/system/logging.if | 2 ++ >> policy/modules/system/logging.te | 4 ---- >> policy/modules/system/systemd.te | 5 ----- >> policy/modules/system/udev.te | 1 - >> 10 files changed, 2 insertions(+), 29 deletions(-) >> >> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te >> index 30deba09..f5e64a86 100644 >> --- a/policy/modules/admin/aide.te >> +++ b/policy/modules/admin/aide.te >> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file) >> files_read_all_files(aide_t) >> files_read_all_symlinks(aide_t) >> >> -kernel_dgram_send(aide_t) >> kernel_read_crypto_sysctls(aide_t) >> >> logging_send_audit_msgs(aide_t) >> diff --git a/policy/modules/admin/usermanage.te >> b/policy/modules/admin/usermanage.te > index 5753741b..4a10bf84 100644 >> --- a/policy/modules/admin/usermanage.te >> +++ b/policy/modules/admin/usermanage.te >> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t) >> # on user home dir >> userdom_dontaudit_search_user_home_content(passwd_t) >> >> -ifdef(`init_systemd',` >> - # for journald /dev/log >> - kernel_dgram_send(passwd_t) >> -') >> - >> optional_policy(` >> nscd_run(passwd_t, passwd_roles) >> ') >> diff --git a/policy/modules/services/dbus.te >> b/policy/modules/services/dbus.te > index 9c085876..c05370dd 100644 >> --- a/policy/modules/services/dbus.te >> +++ b/policy/modules/services/dbus.te >> @@ -162,9 +162,6 @@ ifdef(`init_systemd', ` >> # for /run/systemd/dynamic-uid/ >> init_list_pids(system_dbusd_t) >> init_read_runtime_symlinks(system_dbusd_t) >> - >> - # for journald /dev/log >> - kernel_dgram_send(system_dbusd_t) >> ') >> >> optional_policy(` >> diff --git a/policy/modules/system/authlogin.te >> b/policy/modules/system/authlogin.te > index 28f74bac..2cf86952 100644 >> --- a/policy/modules/system/authlogin.te >> +++ b/policy/modules/system/authlogin.te >> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',` >> ') >> ') >> >> -ifdef(`init_systemd',` >> - # for journald /dev/log >> - kernel_dgram_send(chkpwd_t) >> -') >> - >> optional_policy(` >> # apache leaks file descriptors >> apache_dontaudit_rw_tcp_sockets(chkpwd_t) >> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if >> index fef2c88e..00bd4991 100644 >> --- a/policy/modules/system/init.if >> +++ b/policy/modules/system/init.if >> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',` >> >> ifdef(`init_systemd',` >> init_domain($1, $2) >> - # this may be because of late labelling >> - kernel_dgram_send($1) >> >> allow $1 init_t:unix_dgram_socket sendto; >> ') >> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te >> index a12d151b..3e8eb2da 100644 >> --- a/policy/modules/system/init.te >> +++ b/policy/modules/system/init.te >> @@ -272,7 +272,6 @@ ifdef(`init_systemd',` >> >> kernel_dyntrans_to(init_t) >> kernel_read_network_state(init_t) >> - kernel_dgram_send(init_t) >> kernel_stream_connect(init_t) >> kernel_getattr_proc(init_t) >> kernel_read_fs_sysctls(init_t) >> @@ -969,8 +968,6 @@ ifdef(`init_systemd',` >> allow initrc_t systemdunit:service reload; >> allow initrc_t init_script_file_type:service { stop start status reload >> }; > >> - kernel_dgram_send(initrc_t) >> - >> # run systemd misc initializations >> # in the initrc_t domain, as would be >> # done in traditional sysvinit/upstart. >> diff --git a/policy/modules/system/logging.if >> b/policy/modules/system/logging.if > index 7b7644f7..1f696b7f 100644 >> --- a/policy/modules/system/logging.if >> +++ b/policy/modules/system/logging.if >> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',` >> ifdef(`init_systemd',` >> # Allow systemd-journald to check whether the process died >> allow syslogd_t $1:process signull; >> + >> + kernel_dgram_send($1) >> ') >> ') >> >> diff --git a/policy/modules/system/logging.te >> b/policy/modules/system/logging.te > index 0c5be1cd..02f268ea 100644 >> --- a/policy/modules/system/logging.te >> +++ b/policy/modules/system/logging.te >> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t) >> >> sysnet_dns_name_resolve(audisp_t) >> >> -ifdef(`init_systemd',` >> - kernel_dgram_send(audisp_t) >> -') >> - >> optional_policy(` >> dbus_system_bus_client(audisp_t) >> ') >> diff --git a/policy/modules/system/systemd.te >> b/policy/modules/system/systemd.te > index f6455f6f..cf9241c0 100644 >> --- a/policy/modules/system/systemd.te >> +++ b/policy/modules/system/systemd.te >> @@ -266,7 +266,6 @@ systemd_log_parse_environment(systemd_gpt_generator_t) >> allow systemd_cgroups_t self:capability net_admin; >> >> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) >> -kernel_dgram_send(systemd_cgroups_t) >> # for /proc/cmdline >> kernel_read_system_state(systemd_cgroups_t) >> >> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t, >> systemd_networkd_var_run_t, systemd_netw >> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, >> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t, >> systemd_networkd_var_run_t, systemd_networkd_var_run_t) >> -kernel_dgram_send(systemd_networkd_t) >> kernel_read_system_state(systemd_networkd_t) >> kernel_read_kernel_sysctls(systemd_networkd_t) >> kernel_read_network_state(systemd_networkd_t) >> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t) >> init_dgram_send(systemd_networkd_t) >> init_read_state(systemd_networkd_t) >> >> -logging_send_syslog_msg(systemd_networkd_t) >> - >> miscfiles_read_localization(systemd_networkd_t) >> >> sysnet_read_config(systemd_networkd_t) >> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t, >> systemd_resolved_var_run_t, dir) > >> dev_read_sysfs(systemd_resolved_t) >> >> -kernel_dgram_send(systemd_resolved_t) >> kernel_read_crypto_sysctls(systemd_resolved_t) >> kernel_read_kernel_sysctls(systemd_resolved_t) >> kernel_read_net_sysctls(systemd_resolved_t) >> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te >> index ff564280..f00de30d 100644 >> --- a/policy/modules/system/udev.te >> +++ b/policy/modules/system/udev.te >> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t) >> kernel_read_kernel_sysctls(udev_t) >> kernel_rw_hotplug_sysctls(udev_t) >> kernel_rw_unix_dgram_sockets(udev_t) >> -kernel_dgram_send(udev_t) >> kernel_signal(udev_t) >> kernel_search_debugfs(udev_t) >> kernel_search_key(udev_t) >> -- >> 2.20.1 >> >
Why is a socket that everything sends to labeled as kernel_t? On Wednesday, 10 April 2019 11:07:29 AM AEST Sugar, David wrote: > On 4/9/19 9:00 PM, Russell Coker wrote: > > > Why does the kernel need such access? > > > I'm not sure I understand your question. Are you asking why the > kernel_dgram_send() access is needed by syslog? This is because many > domains send messages to the journal. > > I have been adding this interface as needed throughout the policy as I'm > seeing issues. It was suggested to move this interface use into > logging_send_syslog_msg as that is the same concept and most domains log > already. > > This patch is mostly removing uses of kernel_dgram_send and just adding > it one place. > > > > > > On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote: > > > >> This patch is based on comments from previous a patch to > >> remove the many uses of kernel_dgram_send() and incorporate > >> it into logging_send_syslog_msg(). > >> > >> > >> > >> Signed-off-by: Dave Sugar <dsugar@tresys.com> > >> --- > >> > >> policy/modules/admin/aide.te | 1 - > >> policy/modules/admin/usermanage.te | 5 ----- > >> policy/modules/services/dbus.te | 3 --- > >> policy/modules/system/authlogin.te | 5 ----- > >> policy/modules/system/init.if | 2 -- > >> policy/modules/system/init.te | 3 --- > >> policy/modules/system/logging.if | 2 ++ > >> policy/modules/system/logging.te | 4 ---- > >> policy/modules/system/systemd.te | 5 ----- > >> policy/modules/system/udev.te | 1 - > >> 10 files changed, 2 insertions(+), 29 deletions(-) > >> > >> > >> > >> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te > >> index 30deba09..f5e64a86 100644 > >> --- a/policy/modules/admin/aide.te > >> +++ b/policy/modules/admin/aide.te > >> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file) > >> > >> files_read_all_files(aide_t) > >> files_read_all_symlinks(aide_t) > >> > >> > >> -kernel_dgram_send(aide_t) > >> > >> kernel_read_crypto_sysctls(aide_t) > >> > >> logging_send_audit_msgs(aide_t) > >> > >> diff --git a/policy/modules/admin/usermanage.te > >> b/policy/modules/admin/usermanage.te > >> > > index 5753741b..4a10bf84 100644 > >> > >> --- a/policy/modules/admin/usermanage.te > >> +++ b/policy/modules/admin/usermanage.te > >> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t) > >> > >> # on user home dir > >> userdom_dontaudit_search_user_home_content(passwd_t) > >> > >> > >> -ifdef(`init_systemd',` > >> - # for journald /dev/log > >> - kernel_dgram_send(passwd_t) > >> -') > >> - > >> > >> optional_policy(` > >> > >> nscd_run(passwd_t, passwd_roles) > >> > >> ') > >> > >> diff --git a/policy/modules/services/dbus.te > >> b/policy/modules/services/dbus.te > >> > > index 9c085876..c05370dd 100644 > >> > >> --- a/policy/modules/services/dbus.te > >> +++ b/policy/modules/services/dbus.te > >> @@ -162,9 +162,6 @@ ifdef(`init_systemd', ` > >> > >> # for /run/systemd/dynamic-uid/ > >> init_list_pids(system_dbusd_t) > >> init_read_runtime_symlinks(system_dbusd_t) > >> > >> - > >> - # for journald /dev/log > >> - kernel_dgram_send(system_dbusd_t) > >> > >> ') > >> > >> optional_policy(` > >> > >> diff --git a/policy/modules/system/authlogin.te > >> b/policy/modules/system/authlogin.te > >> > > index 28f74bac..2cf86952 100644 > >> > >> --- a/policy/modules/system/authlogin.te > >> +++ b/policy/modules/system/authlogin.te > >> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',` > >> > >> ') > >> > >> ') > >> > >> > >> -ifdef(`init_systemd',` > >> - # for journald /dev/log > >> - kernel_dgram_send(chkpwd_t) > >> -') > >> - > >> > >> optional_policy(` > >> > >> # apache leaks file descriptors > >> apache_dontaudit_rw_tcp_sockets(chkpwd_t) > >> > >> diff --git a/policy/modules/system/init.if > >> b/policy/modules/system/init.if > >> index fef2c88e..00bd4991 100644 > >> --- a/policy/modules/system/init.if > >> +++ b/policy/modules/system/init.if > >> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',` > >> > >> > >> > >> ifdef(`init_systemd',` > >> > >> init_domain($1, $2) > >> > >> - # this may be because of late labelling > >> - kernel_dgram_send($1) > >> > >> > >> > >> allow $1 init_t:unix_dgram_socket sendto; > >> > >> ') > >> > >> diff --git a/policy/modules/system/init.te > >> b/policy/modules/system/init.te > >> index a12d151b..3e8eb2da 100644 > >> --- a/policy/modules/system/init.te > >> +++ b/policy/modules/system/init.te > >> @@ -272,7 +272,6 @@ ifdef(`init_systemd',` > >> > >> > >> > >> kernel_dyntrans_to(init_t) > >> kernel_read_network_state(init_t) > >> > >> - kernel_dgram_send(init_t) > >> > >> kernel_stream_connect(init_t) > >> kernel_getattr_proc(init_t) > >> kernel_read_fs_sysctls(init_t) > >> > >> @@ -969,8 +968,6 @@ ifdef(`init_systemd',` > >> > >> allow initrc_t systemdunit:service reload; > >> allow initrc_t init_script_file_type:service { stop start status > >> reload > >> > >> }; > >> > > > >> > >> - kernel_dgram_send(initrc_t) > >> - > >> > >> # run systemd misc initializations > >> # in the initrc_t domain, as would be > >> # done in traditional sysvinit/upstart. > >> > >> diff --git a/policy/modules/system/logging.if > >> b/policy/modules/system/logging.if > >> > > index 7b7644f7..1f696b7f 100644 > >> > >> --- a/policy/modules/system/logging.if > >> +++ b/policy/modules/system/logging.if > >> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',` > >> > >> ifdef(`init_systemd',` > >> > >> # Allow systemd-journald to check whether the process died > >> allow syslogd_t $1:process signull; > >> > >> + > >> + kernel_dgram_send($1) > >> > >> ') > >> > >> ') > >> > >> > >> diff --git a/policy/modules/system/logging.te > >> b/policy/modules/system/logging.te > >> > > index 0c5be1cd..02f268ea 100644 > >> > >> --- a/policy/modules/system/logging.te > >> +++ b/policy/modules/system/logging.te > >> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t) > >> > >> > >> sysnet_dns_name_resolve(audisp_t) > >> > >> > >> -ifdef(`init_systemd',` > >> - kernel_dgram_send(audisp_t) > >> -') > >> - > >> > >> optional_policy(` > >> > >> dbus_system_bus_client(audisp_t) > >> > >> ') > >> > >> diff --git a/policy/modules/system/systemd.te > >> b/policy/modules/system/systemd.te > >> > > index f6455f6f..cf9241c0 100644 > >> > >> --- a/policy/modules/system/systemd.te > >> +++ b/policy/modules/system/systemd.te > >> @@ -266,7 +266,6 @@ > >> systemd_log_parse_environment(systemd_gpt_generator_t) > >> > >> allow systemd_cgroups_t self:capability net_admin; > >> > >> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) > >> > >> -kernel_dgram_send(systemd_cgroups_t) > >> > >> # for /proc/cmdline > >> kernel_read_system_state(systemd_cgroups_t) > >> > >> > >> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t, > >> systemd_networkd_var_run_t, systemd_netw > >> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, > >> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t, > >> systemd_networkd_var_run_t, systemd_networkd_var_run_t) > >> -kernel_dgram_send(systemd_networkd_t) > >> > >> kernel_read_system_state(systemd_networkd_t) > >> kernel_read_kernel_sysctls(systemd_networkd_t) > >> kernel_read_network_state(systemd_networkd_t) > >> > >> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t) > >> > >> init_dgram_send(systemd_networkd_t) > >> init_read_state(systemd_networkd_t) > >> > >> > >> -logging_send_syslog_msg(systemd_networkd_t) > >> - > >> > >> miscfiles_read_localization(systemd_networkd_t) > >> > >> sysnet_read_config(systemd_networkd_t) > >> > >> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t, > >> systemd_resolved_var_run_t, dir) > >> > > > > > >> dev_read_sysfs(systemd_resolved_t) > >> > >> > >> -kernel_dgram_send(systemd_resolved_t) > >> > >> kernel_read_crypto_sysctls(systemd_resolved_t) > >> kernel_read_kernel_sysctls(systemd_resolved_t) > >> kernel_read_net_sysctls(systemd_resolved_t) > >> > >> diff --git a/policy/modules/system/udev.te > >> b/policy/modules/system/udev.te > >> index ff564280..f00de30d 100644 > >> --- a/policy/modules/system/udev.te > >> +++ b/policy/modules/system/udev.te > >> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t) > >> > >> kernel_read_kernel_sysctls(udev_t) > >> kernel_rw_hotplug_sysctls(udev_t) > >> kernel_rw_unix_dgram_sockets(udev_t) > >> > >> -kernel_dgram_send(udev_t) > >> > >> kernel_signal(udev_t) > >> kernel_search_debugfs(udev_t) > >> kernel_search_key(udev_t) > >> > >> -- > >> 2.20.1 > >> > >> > >> > > -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 4/9/19 9:39 PM, Russell Coker wrote: > Why is a socket that everything sends to labeled as kernel_t? > I see, it is happening during the system booting. /dev/log and /run/systemd/journal/socket are both labeled kernel_t early in the boot process. At some point they are either relabeled or recreated with devlog_t. But without this rule the system won't boot (I have tried). Here are a small sample of the denials I get without these rules. type=AVC msg=audit(1554904080.089:5018): avc: denied { sendto } for pid=7559 comm="auditd" path="/dev/log" scontext=system_u:system_r:auditd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1554904080.155:5138): avc: denied { sendto } for pid=7590 comm="systemd-cgroups" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_cgroups_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1554904080.158:5142): avc: denied { sendto } for pid=7591 comm="systemd-update-" path="/run/systemd/journal/socket" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0 type=AVC msg=audit(1554904467.831:181): avc: denied { sendto } for pid=7510 comm="chronyd" path="/dev/log" scontext=system_u:system_r:chronyd_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1554904467.842:190): avc: denied { sendto } for pid=7498 comm="dbus-daemon" path="/dev/log" scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 type=AVC msg=audit(1554904467.850:194): avc: denied { sendto } for pid=7521 comm="systemd-user-se" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_sessions_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1 > On Wednesday, 10 April 2019 11:07:29 AM AEST Sugar, David wrote: >> On 4/9/19 9:00 PM, Russell Coker wrote: >> >>> Why does the kernel need such access? >> >> >> I'm not sure I understand your question. Are you asking why the >> kernel_dgram_send() access is needed by syslog? This is because many >> domains send messages to the journal. >> >> I have been adding this interface as needed throughout the policy as I'm >> seeing issues. It was suggested to move this interface use into >> logging_send_syslog_msg as that is the same concept and most domains log >> already. >> >> This patch is mostly removing uses of kernel_dgram_send and just adding >> it one place. >> >> >>> >>> On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote: >>> >>>> This patch is based on comments from previous a patch to >>>> remove the many uses of kernel_dgram_send() and incorporate >>>> it into logging_send_syslog_msg(). >>>> >>>> >>>> >>>> Signed-off-by: Dave Sugar <dsugar@tresys.com> >>>> --- >>>> >>>> policy/modules/admin/aide.te | 1 - >>>> policy/modules/admin/usermanage.te | 5 ----- >>>> policy/modules/services/dbus.te | 3 --- >>>> policy/modules/system/authlogin.te | 5 ----- >>>> policy/modules/system/init.if | 2 -- >>>> policy/modules/system/init.te | 3 --- >>>> policy/modules/system/logging.if | 2 ++ >>>> policy/modules/system/logging.te | 4 ---- >>>> policy/modules/system/systemd.te | 5 ----- >>>> policy/modules/system/udev.te | 1 - >>>> 10 files changed, 2 insertions(+), 29 deletions(-) >>>> >>>> >>>> >>>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te >>>> index 30deba09..f5e64a86 100644 >>>> --- a/policy/modules/admin/aide.te >>>> +++ b/policy/modules/admin/aide.te >>>> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file) >>>> >>>> files_read_all_files(aide_t) >>>> files_read_all_symlinks(aide_t) >>>> >>>> >>>> -kernel_dgram_send(aide_t) >>>> >>>> kernel_read_crypto_sysctls(aide_t) >>>> >>>> logging_send_audit_msgs(aide_t) >>>> >>>> diff --git a/policy/modules/admin/usermanage.te >>>> b/policy/modules/admin/usermanage.te >>>> >>> index 5753741b..4a10bf84 100644 >>>> >>>> --- a/policy/modules/admin/usermanage.te >>>> +++ b/policy/modules/admin/usermanage.te >>>> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t) >>>> >>>> # on user home dir >>>> userdom_dontaudit_search_user_home_content(passwd_t) >>>> >>>> >>>> -ifdef(`init_systemd',` >>>> - # for journald /dev/log >>>> - kernel_dgram_send(passwd_t) >>>> -') >>>> - >>>> >>>> optional_policy(` >>>> >>>> nscd_run(passwd_t, passwd_roles) >>>> >>>> ') >>>> >>>> diff --git a/policy/modules/services/dbus.te >>>> b/policy/modules/services/dbus.te >>>> >>> index 9c085876..c05370dd 100644 >>>> >>>> --- a/policy/modules/services/dbus.te >>>> +++ b/policy/modules/services/dbus.te >>>> @@ -162,9 +162,6 @@ ifdef(`init_systemd', ` >>>> >>>> # for /run/systemd/dynamic-uid/ >>>> init_list_pids(system_dbusd_t) >>>> init_read_runtime_symlinks(system_dbusd_t) >>>> >>>> - >>>> - # for journald /dev/log >>>> - kernel_dgram_send(system_dbusd_t) >>>> >>>> ') >>>> >>>> optional_policy(` >>>> >>>> diff --git a/policy/modules/system/authlogin.te >>>> b/policy/modules/system/authlogin.te >>>> >>> index 28f74bac..2cf86952 100644 >>>> >>>> --- a/policy/modules/system/authlogin.te >>>> +++ b/policy/modules/system/authlogin.te >>>> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',` >>>> >>>> ') >>>> >>>> ') >>>> >>>> >>>> -ifdef(`init_systemd',` >>>> - # for journald /dev/log >>>> - kernel_dgram_send(chkpwd_t) >>>> -') >>>> - >>>> >>>> optional_policy(` >>>> >>>> # apache leaks file descriptors >>>> apache_dontaudit_rw_tcp_sockets(chkpwd_t) >>>> >>>> diff --git a/policy/modules/system/init.if >>>> b/policy/modules/system/init.if >>>> index fef2c88e..00bd4991 100644 >>>> --- a/policy/modules/system/init.if >>>> +++ b/policy/modules/system/init.if >>>> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',` >>>> >>>> >>>> >>>> ifdef(`init_systemd',` >>>> >>>> init_domain($1, $2) >>>> >>>> - # this may be because of late labelling >>>> - kernel_dgram_send($1) >>>> >>>> >>>> >>>> allow $1 init_t:unix_dgram_socket sendto; >>>> >>>> ') >>>> >>>> diff --git a/policy/modules/system/init.te >>>> b/policy/modules/system/init.te >>>> index a12d151b..3e8eb2da 100644 >>>> --- a/policy/modules/system/init.te >>>> +++ b/policy/modules/system/init.te >>>> @@ -272,7 +272,6 @@ ifdef(`init_systemd',` >>>> >>>> >>>> >>>> kernel_dyntrans_to(init_t) >>>> kernel_read_network_state(init_t) >>>> >>>> - kernel_dgram_send(init_t) >>>> >>>> kernel_stream_connect(init_t) >>>> kernel_getattr_proc(init_t) >>>> kernel_read_fs_sysctls(init_t) >>>> >>>> @@ -969,8 +968,6 @@ ifdef(`init_systemd',` >>>> >>>> allow initrc_t systemdunit:service reload; >>>> allow initrc_t init_script_file_type:service { stop start status >>>> reload >>>> >>>> }; >>>> >>> >>>> >>>> - kernel_dgram_send(initrc_t) >>>> - >>>> >>>> # run systemd misc initializations >>>> # in the initrc_t domain, as would be >>>> # done in traditional sysvinit/upstart. >>>> >>>> diff --git a/policy/modules/system/logging.if >>>> b/policy/modules/system/logging.if >>>> >>> index 7b7644f7..1f696b7f 100644 >>>> >>>> --- a/policy/modules/system/logging.if >>>> +++ b/policy/modules/system/logging.if >>>> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',` >>>> >>>> ifdef(`init_systemd',` >>>> >>>> # Allow systemd-journald to check whether the process died >>>> allow syslogd_t $1:process signull; >>>> >>>> + >>>> + kernel_dgram_send($1) >>>> >>>> ') >>>> >>>> ') >>>> >>>> >>>> diff --git a/policy/modules/system/logging.te >>>> b/policy/modules/system/logging.te >>>> >>> index 0c5be1cd..02f268ea 100644 >>>> >>>> --- a/policy/modules/system/logging.te >>>> +++ b/policy/modules/system/logging.te >>>> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t) >>>> >>>> >>>> sysnet_dns_name_resolve(audisp_t) >>>> >>>> >>>> -ifdef(`init_systemd',` >>>> - kernel_dgram_send(audisp_t) >>>> -') >>>> - >>>> >>>> optional_policy(` >>>> >>>> dbus_system_bus_client(audisp_t) >>>> >>>> ') >>>> >>>> diff --git a/policy/modules/system/systemd.te >>>> b/policy/modules/system/systemd.te >>>> >>> index f6455f6f..cf9241c0 100644 >>>> >>>> --- a/policy/modules/system/systemd.te >>>> +++ b/policy/modules/system/systemd.te >>>> @@ -266,7 +266,6 @@ >>>> systemd_log_parse_environment(systemd_gpt_generator_t) >>>> >>>> allow systemd_cgroups_t self:capability net_admin; >>>> >>>> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) >>>> >>>> -kernel_dgram_send(systemd_cgroups_t) >>>> >>>> # for /proc/cmdline >>>> kernel_read_system_state(systemd_cgroups_t) >>>> >>>> >>>> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t, >>>> systemd_networkd_var_run_t, systemd_netw >>>> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, >>>> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t, >>>> systemd_networkd_var_run_t, systemd_networkd_var_run_t) >>>> -kernel_dgram_send(systemd_networkd_t) >>>> >>>> kernel_read_system_state(systemd_networkd_t) >>>> kernel_read_kernel_sysctls(systemd_networkd_t) >>>> kernel_read_network_state(systemd_networkd_t) >>>> >>>> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t) >>>> >>>> init_dgram_send(systemd_networkd_t) >>>> init_read_state(systemd_networkd_t) >>>> >>>> >>>> -logging_send_syslog_msg(systemd_networkd_t) >>>> - >>>> >>>> miscfiles_read_localization(systemd_networkd_t) >>>> >>>> sysnet_read_config(systemd_networkd_t) >>>> >>>> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t, >>>> systemd_resolved_var_run_t, dir) >>>> >>> >>> >>>> dev_read_sysfs(systemd_resolved_t) >>>> >>>> >>>> -kernel_dgram_send(systemd_resolved_t) >>>> >>>> kernel_read_crypto_sysctls(systemd_resolved_t) >>>> kernel_read_kernel_sysctls(systemd_resolved_t) >>>> kernel_read_net_sysctls(systemd_resolved_t) >>>> >>>> diff --git a/policy/modules/system/udev.te >>>> b/policy/modules/system/udev.te >>>> index ff564280..f00de30d 100644 >>>> --- a/policy/modules/system/udev.te >>>> +++ b/policy/modules/system/udev.te >>>> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t) >>>> >>>> kernel_read_kernel_sysctls(udev_t) >>>> kernel_rw_hotplug_sysctls(udev_t) >>>> kernel_rw_unix_dgram_sockets(udev_t) >>>> >>>> -kernel_dgram_send(udev_t) >>>> >>>> kernel_signal(udev_t) >>>> kernel_search_debugfs(udev_t) >>>> kernel_search_key(udev_t) >>>> >>>> -- >>>> 2.20.1 >>>> >>>> >>>> >>> > >
On 4/9/19 9:39 PM, Russell Coker wrote: > Why is a socket that everything sends to labeled as kernel_t? > > On Wednesday, 10 April 2019 11:07:29 AM AEST Sugar, David wrote: >> On 4/9/19 9:00 PM, Russell Coker wrote: >> >>> Why does the kernel need such access? >> >> >> I'm not sure I understand your question. Are you asking why the >> kernel_dgram_send() access is needed by syslog? This is because many >> domains send messages to the journal. >> >> I have been adding this interface as needed throughout the policy as I'm >> seeing issues. It was suggested to move this interface use into >> logging_send_syslog_msg as that is the same concept and most domains log >> already. >> >> This patch is mostly removing uses of kernel_dgram_send and just adding >> it one place. >> >> >>> >>> On Wednesday, 10 April 2019 1:09:59 AM AEST Sugar, David wrote: >>> >>>> This patch is based on comments from previous a patch to >>>> remove the many uses of kernel_dgram_send() and incorporate >>>> it into logging_send_syslog_msg(). Russell, you aren't seeing this type of access on Debian? How about Gentoo? If this is Fedora/RHEL-specific, then it should be reflected in the policy accordingly. >>>> Signed-off-by: Dave Sugar <dsugar@tresys.com> >>>> --- >>>> >>>> policy/modules/admin/aide.te | 1 - >>>> policy/modules/admin/usermanage.te | 5 ----- >>>> policy/modules/services/dbus.te | 3 --- >>>> policy/modules/system/authlogin.te | 5 ----- >>>> policy/modules/system/init.if | 2 -- >>>> policy/modules/system/init.te | 3 --- >>>> policy/modules/system/logging.if | 2 ++ >>>> policy/modules/system/logging.te | 4 ---- >>>> policy/modules/system/systemd.te | 5 ----- >>>> policy/modules/system/udev.te | 1 - >>>> 10 files changed, 2 insertions(+), 29 deletions(-) >>>> >>>> >>>> >>>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te >>>> index 30deba09..f5e64a86 100644 >>>> --- a/policy/modules/admin/aide.te >>>> +++ b/policy/modules/admin/aide.te >>>> @@ -44,7 +44,6 @@ logging_log_filetrans(aide_t, aide_log_t, file) >>>> >>>> files_read_all_files(aide_t) >>>> files_read_all_symlinks(aide_t) >>>> >>>> >>>> -kernel_dgram_send(aide_t) >>>> >>>> kernel_read_crypto_sysctls(aide_t) >>>> >>>> logging_send_audit_msgs(aide_t) >>>> >>>> diff --git a/policy/modules/admin/usermanage.te >>>> b/policy/modules/admin/usermanage.te >>>> >>> index 5753741b..4a10bf84 100644 >>>> >>>> --- a/policy/modules/admin/usermanage.te >>>> +++ b/policy/modules/admin/usermanage.te >>>> @@ -366,11 +366,6 @@ userdom_read_user_tmp_files(passwd_t) >>>> >>>> # on user home dir >>>> userdom_dontaudit_search_user_home_content(passwd_t) >>>> >>>> >>>> -ifdef(`init_systemd',` >>>> - # for journald /dev/log >>>> - kernel_dgram_send(passwd_t) >>>> -') >>>> - >>>> >>>> optional_policy(` >>>> >>>> nscd_run(passwd_t, passwd_roles) >>>> >>>> ') >>>> >>>> diff --git a/policy/modules/services/dbus.te >>>> b/policy/modules/services/dbus.te >>>> >>> index 9c085876..c05370dd 100644 >>>> >>>> --- a/policy/modules/services/dbus.te >>>> +++ b/policy/modules/services/dbus.te >>>> @@ -162,9 +162,6 @@ ifdef(`init_systemd', ` >>>> >>>> # for /run/systemd/dynamic-uid/ >>>> init_list_pids(system_dbusd_t) >>>> init_read_runtime_symlinks(system_dbusd_t) >>>> >>>> - >>>> - # for journald /dev/log >>>> - kernel_dgram_send(system_dbusd_t) >>>> >>>> ') >>>> >>>> optional_policy(` >>>> >>>> diff --git a/policy/modules/system/authlogin.te >>>> b/policy/modules/system/authlogin.te >>>> >>> index 28f74bac..2cf86952 100644 >>>> >>>> --- a/policy/modules/system/authlogin.te >>>> +++ b/policy/modules/system/authlogin.te >>>> @@ -144,11 +144,6 @@ ifdef(`distro_ubuntu',` >>>> >>>> ') >>>> >>>> ') >>>> >>>> >>>> -ifdef(`init_systemd',` >>>> - # for journald /dev/log >>>> - kernel_dgram_send(chkpwd_t) >>>> -') >>>> - >>>> >>>> optional_policy(` >>>> >>>> # apache leaks file descriptors >>>> apache_dontaudit_rw_tcp_sockets(chkpwd_t) >>>> >>>> diff --git a/policy/modules/system/init.if >>>> b/policy/modules/system/init.if >>>> index fef2c88e..00bd4991 100644 >>>> --- a/policy/modules/system/init.if >>>> +++ b/policy/modules/system/init.if >>>> @@ -306,8 +306,6 @@ interface(`init_daemon_domain',` >>>> >>>> >>>> >>>> ifdef(`init_systemd',` >>>> >>>> init_domain($1, $2) >>>> >>>> - # this may be because of late labelling >>>> - kernel_dgram_send($1) >>>> >>>> >>>> >>>> allow $1 init_t:unix_dgram_socket sendto; >>>> >>>> ') >>>> >>>> diff --git a/policy/modules/system/init.te >>>> b/policy/modules/system/init.te >>>> index a12d151b..3e8eb2da 100644 >>>> --- a/policy/modules/system/init.te >>>> +++ b/policy/modules/system/init.te >>>> @@ -272,7 +272,6 @@ ifdef(`init_systemd',` >>>> >>>> >>>> >>>> kernel_dyntrans_to(init_t) >>>> kernel_read_network_state(init_t) >>>> >>>> - kernel_dgram_send(init_t) >>>> >>>> kernel_stream_connect(init_t) >>>> kernel_getattr_proc(init_t) >>>> kernel_read_fs_sysctls(init_t) >>>> >>>> @@ -969,8 +968,6 @@ ifdef(`init_systemd',` >>>> >>>> allow initrc_t systemdunit:service reload; >>>> allow initrc_t init_script_file_type:service { stop start status >>>> reload >>>> >>>> }; >>>> >>> >>>> >>>> - kernel_dgram_send(initrc_t) >>>> - >>>> >>>> # run systemd misc initializations >>>> # in the initrc_t domain, as would be >>>> # done in traditional sysvinit/upstart. >>>> >>>> diff --git a/policy/modules/system/logging.if >>>> b/policy/modules/system/logging.if >>>> >>> index 7b7644f7..1f696b7f 100644 >>>> >>>> --- a/policy/modules/system/logging.if >>>> +++ b/policy/modules/system/logging.if >>>> @@ -642,6 +642,8 @@ interface(`logging_send_syslog_msg',` >>>> >>>> ifdef(`init_systemd',` >>>> >>>> # Allow systemd-journald to check whether the process died >>>> allow syslogd_t $1:process signull; >>>> >>>> + >>>> + kernel_dgram_send($1) >>>> >>>> ') >>>> >>>> ') >>>> >>>> >>>> diff --git a/policy/modules/system/logging.te >>>> b/policy/modules/system/logging.te >>>> >>> index 0c5be1cd..02f268ea 100644 >>>> >>>> --- a/policy/modules/system/logging.te >>>> +++ b/policy/modules/system/logging.te >>>> @@ -271,10 +271,6 @@ miscfiles_read_localization(audisp_t) >>>> >>>> >>>> sysnet_dns_name_resolve(audisp_t) >>>> >>>> >>>> -ifdef(`init_systemd',` >>>> - kernel_dgram_send(audisp_t) >>>> -') >>>> - >>>> >>>> optional_policy(` >>>> >>>> dbus_system_bus_client(audisp_t) >>>> >>>> ') >>>> >>>> diff --git a/policy/modules/system/systemd.te >>>> b/policy/modules/system/systemd.te >>>> >>> index f6455f6f..cf9241c0 100644 >>>> >>>> --- a/policy/modules/system/systemd.te >>>> +++ b/policy/modules/system/systemd.te >>>> @@ -266,7 +266,6 @@ >>>> systemd_log_parse_environment(systemd_gpt_generator_t) >>>> >>>> allow systemd_cgroups_t self:capability net_admin; >>>> >>>> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) >>>> >>>> -kernel_dgram_send(systemd_cgroups_t) >>>> >>>> # for /proc/cmdline >>>> kernel_read_system_state(systemd_cgroups_t) >>>> >>>> >>>> @@ -642,7 +641,6 @@ manage_dirs_pattern(systemd_networkd_t, >>>> systemd_networkd_var_run_t, systemd_netw >>>> manage_files_pattern(systemd_networkd_t, systemd_networkd_var_run_t, >>>> systemd_networkd_var_run_t) manage_lnk_files_pattern(systemd_networkd_t, >>>> systemd_networkd_var_run_t, systemd_networkd_var_run_t) >>>> -kernel_dgram_send(systemd_networkd_t) >>>> >>>> kernel_read_system_state(systemd_networkd_t) >>>> kernel_read_kernel_sysctls(systemd_networkd_t) >>>> kernel_read_network_state(systemd_networkd_t) >>>> >>>> @@ -667,8 +665,6 @@ auth_use_nsswitch(systemd_networkd_t) >>>> >>>> init_dgram_send(systemd_networkd_t) >>>> init_read_state(systemd_networkd_t) >>>> >>>> >>>> -logging_send_syslog_msg(systemd_networkd_t) >>>> - >>>> >>>> miscfiles_read_localization(systemd_networkd_t) >>>> >>>> sysnet_read_config(systemd_networkd_t) >>>> >>>> @@ -945,7 +941,6 @@ init_pid_filetrans(systemd_resolved_t, >>>> systemd_resolved_var_run_t, dir) >>>> >>> >>> >>>> dev_read_sysfs(systemd_resolved_t) >>>> >>>> >>>> -kernel_dgram_send(systemd_resolved_t) >>>> >>>> kernel_read_crypto_sysctls(systemd_resolved_t) >>>> kernel_read_kernel_sysctls(systemd_resolved_t) >>>> kernel_read_net_sysctls(systemd_resolved_t) >>>> >>>> diff --git a/policy/modules/system/udev.te >>>> b/policy/modules/system/udev.te >>>> index ff564280..f00de30d 100644 >>>> --- a/policy/modules/system/udev.te >>>> +++ b/policy/modules/system/udev.te >>>> @@ -99,7 +99,6 @@ kernel_read_modprobe_sysctls(udev_t) >>>> >>>> kernel_read_kernel_sysctls(udev_t) >>>> kernel_rw_hotplug_sysctls(udev_t) >>>> kernel_rw_unix_dgram_sockets(udev_t) >>>> >>>> -kernel_dgram_send(udev_t) >>>> >>>> kernel_signal(udev_t) >>>> kernel_search_debugfs(udev_t) >>>> kernel_search_key(udev_t) >>>> >>>> -- >>>> 2.20.1 >>>> >>>> >>>> >>> > > -- Chris PeBenito
On Friday, 12 April 2019 9:54:46 PM AEST Chris PeBenito wrote: > On 4/9/19 9:39 PM, Russell Coker wrote: > > Why is a socket that everything sends to labeled as kernel_t? > > > > Russell, you aren't seeing this type of access on Debian? ifdef(`init_systemd',` init_domain($1, $2) # this may be because of late labelling kernel_dgram_send($1) allow $1 init_t:unix_dgram_socket sendto; ') The above is in the upstream policy in the init_daemon_domain() interface. Not sure why. I've put in an auditallow rule and so far haven't been able to reproduce it. So we can probably remove that line. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 4/13/19 1:35 AM, Russell Coker wrote:
> On Friday, 12 April 2019 9:54:46 PM AEST Chris PeBenito wrote:
>> On 4/9/19 9:39 PM, Russell Coker wrote:
>>> Why is a socket that everything sends to labeled as kernel_t?
>>>
>>
>> Russell, you aren't seeing this type of access on Debian?
>
>
> ifdef(`init_systemd',`
> init_domain($1, $2)
> # this may be because of late labelling
> kernel_dgram_send($1)
>
> allow $1 init_t:unix_dgram_socket sendto;
> ')
>
> The above is in the upstream policy in the init_daemon_domain() interface.
> Not sure why.
>
> I've put in an auditallow rule and so far haven't been able to reproduce it.
> So we can probably remove that line.
>
Upstream RHEL is setting up the attribute 'syslog_client_type', has
'typeattribute $1 syslog_client_type' in logging_send_syslog_msg ()
and then
ifdef(`hide_broken_symptoms',`
kernel_dgram_send(syslog_client_type)
')
in logging.te
When not allowing this access I get a RHEL system that will not boot.
I'm happy to put this in an 'ifdef distro_redhat'. Please let me know
the preference on how to proceed.
On Sunday, 14 April 2019 1:36:07 AM AEST Sugar, David wrote: > >>> Why is a socket that everything sends to labeled as kernel_t? > >> > >> Russell, you aren't seeing this type of access on Debian? > > > > > > > > > > ifdef(`init_systemd',` > > > > init_domain($1, $2) > > # this may be because of late labelling > > kernel_dgram_send($1) > > > > > > > > allow $1 init_t:unix_dgram_socket sendto; > > > > ') > > > > > > The above is in the upstream policy in the init_daemon_domain() > > interface. > > Not sure why. > > > > I've put in an auditallow rule and so far haven't been able to reproduce > > it. > > So we can probably remove that line. > > > > > Upstream RHEL is setting up the attribute 'syslog_client_type', has > 'typeattribute $1 syslog_client_type' in logging_send_syslog_msg () > > and then > ifdef(`hide_broken_symptoms',` > kernel_dgram_send(syslog_client_type) > ') > in logging.te Well they are stating that it's a symptom of brokenness... > When not allowing this access I get a RHEL system that will not boot. > I'm happy to put this in an 'ifdef distro_redhat'. Please let me know > the preference on how to proceed. Yes ifdef distro_redhat seems like a good idea. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/