SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] Add interface xdm_run_domain
@ 2019-04-04 12:29 Sugar, David
  2019-04-04 12:29 ` [PATCH] Resolve some denials related to sending journal messages Sugar, David
  2019-04-08  0:52 ` [PATCH] Add interface xdm_run_domain Chris PeBenito
  0 siblings, 2 replies; 7+ messages in thread
From: Sugar, David @ 2019-04-04 12:29 UTC (permalink / raw)
  To: selinux-refpolicy

This interface is needed when using the various script options in
lightdm (others?) configuration file.  I'm using with 'display-setup-script'
and 'greeter-setup-script', but I suspect the same would be useful for
'display-stopped-script', 'session-cleanup-script' and others.  In these
cases lightdm will be executing a configured script to perform some action
during the specified phase of the greeter/session.  But without this interface
there is no way to transition into a new domain to execute the action.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/xserver.if | 31 ++++++++++++++++++++++++++++++
 1 file changed, 31 insertions(+)

diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index 854f3b90..2faef71d 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -734,6 +734,37 @@ interface(`xserver_relabel_console_pipes',`
 	allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
 ')
 
+########################################
+## <summary>
+##	Allow display manager to execute the specified program in
+##	the specified domain.
+## </summary>
+## <desc>
+##	<p>
+##	This is a interface to support the lightdm *-setup-script
+##	options.  This will allow the command run by lightdm to
+##	be run in a domain other than xdm_t.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain to execute in.
+##	</summary>
+## </param>
+## <param name="entry_file">
+##	<summary>
+##	Domain entry point file.
+##	</summary>
+## </param>
+#
+interface(`xdm_run_domain',`
+	gen_require(`
+		type xdm_t;
+	')
+
+	domtrans_pattern(xdm_t,$2,$1)
+')
+
 ########################################
 ## <summary>
 ##	Use file descriptors for xdm.
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH] Resolve some denials related to sending journal messages
  2019-04-04 12:29 [PATCH] Add interface xdm_run_domain Sugar, David
@ 2019-04-04 12:29 ` Sugar, David
  2019-04-08  0:52   ` Chris PeBenito
  2019-04-08  0:52 ` [PATCH] Add interface xdm_run_domain Chris PeBenito
  1 sibling, 1 reply; 7+ messages in thread
From: Sugar, David @ 2019-04-04 12:29 UTC (permalink / raw)
  To: selinux-refpolicy

type=AVC msg=audit(1554324562.840:159): avc:  denied  { sendto } for  pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_backlight_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
type=AVC msg=audit(1554324271.863:245): avc:  denied  { sendto } for  pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_sessions_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
type=AVC msg=audit(1554324635.844:313): avc:  denied  { sendto } for  pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket" scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/lvm.te     | 1 +
 policy/modules/system/systemd.te | 4 ++++
 2 files changed, 5 insertions(+)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index ec3b4a18..aea199d4 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
 files_etc_filetrans(lvm_t, lvm_metadata_t, file)
 files_search_mnt(lvm_t)
 
+kernel_dgram_send(lvm_t)
 kernel_request_load_module(lvm_t)
 kernel_get_sysvipc_info(lvm_t)
 kernel_read_system_state(lvm_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index f6455f6f..541117a9 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
 # for udev.conf
 files_read_etc_files(systemd_backlight_t)
 
+kernel_dgram_send(systemd_backlight_t)
+
 # for /run/udev/data/+backlight*
 udev_read_pid_files(systemd_backlight_t)
 
@@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
 allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
 files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
 
+kernel_dgram_send(systemd_sessions_t)
+
 selinux_get_enforce_mode(systemd_sessions_t)
 selinux_get_fs_mount(systemd_sessions_t)
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] Resolve some denials related to sending journal messages
  2019-04-04 12:29 ` [PATCH] Resolve some denials related to sending journal messages Sugar, David
@ 2019-04-08  0:52   ` Chris PeBenito
  2019-04-08 13:33     ` Sugar, David
  0 siblings, 1 reply; 7+ messages in thread
From: Chris PeBenito @ 2019-04-08  0:52 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 4/4/19 8:29 AM, Sugar, David wrote:
> type=AVC msg=audit(1554324562.840:159): avc:  denied  { sendto } for  pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_backlight_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
> type=AVC msg=audit(1554324271.863:245): avc:  denied  { sendto } for  pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket" scontext=system_u:system_r:systemd_sessions_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=0
> type=AVC msg=audit(1554324635.844:313): avc:  denied  { sendto } for  pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket" scontext=system_u:system_r:lvm_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

I think we've reached the limit of the explicit kernel_dgram_send() and 
it's time to reevaluate putting this in logging_send_syslog_msg().


> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/lvm.te     | 1 +
>   policy/modules/system/systemd.te | 4 ++++
>   2 files changed, 5 insertions(+)
> 
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index ec3b4a18..aea199d4 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, lvm_metadata_t, file)
>   files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>   files_search_mnt(lvm_t)
>   
> +kernel_dgram_send(lvm_t)
>   kernel_request_load_module(lvm_t)
>   kernel_get_sysvipc_info(lvm_t)
>   kernel_read_system_state(lvm_t)
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index f6455f6f..541117a9 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>   # for udev.conf
>   files_read_etc_files(systemd_backlight_t)
>   
> +kernel_dgram_send(systemd_backlight_t)
> +
>   # for /run/udev/data/+backlight*
>   udev_read_pid_files(systemd_backlight_t)
>   
> @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>   allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
>   files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>   
> +kernel_dgram_send(systemd_sessions_t)
> +
>   selinux_get_enforce_mode(systemd_sessions_t)
>   selinux_get_fs_mount(systemd_sessions_t)
>   
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] Add interface xdm_run_domain
  2019-04-04 12:29 [PATCH] Add interface xdm_run_domain Sugar, David
  2019-04-04 12:29 ` [PATCH] Resolve some denials related to sending journal messages Sugar, David
@ 2019-04-08  0:52 ` Chris PeBenito
  1 sibling, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2019-04-08  0:52 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 4/4/19 8:29 AM, Sugar, David wrote:
> This interface is needed when using the various script options in
> lightdm (others?) configuration file.  I'm using with 'display-setup-script'
> and 'greeter-setup-script', but I suspect the same would be useful for
> 'display-stopped-script', 'session-cleanup-script' and others.  In these
> cases lightdm will be executing a configured script to perform some action
> during the specified phase of the greeter/session.  But without this interface
> there is no way to transition into a new domain to execute the action.

I'm reluctant to add this "reversed" interface.  In other cases, the 
domain (init, cron, inetd, etc.) is legitimately transitioning to many 
domains.  I don't see that here.



> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/xserver.if | 31 ++++++++++++++++++++++++++++++
>   1 file changed, 31 insertions(+)
> 
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index 854f3b90..2faef71d 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -734,6 +734,37 @@ interface(`xserver_relabel_console_pipes',`
>   	allow $1 xconsole_device_t:fifo_file { getattr relabelfrom relabelto };
>   ')
>   
> +########################################
> +## <summary>
> +##	Allow display manager to execute the specified program in
> +##	the specified domain.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	This is a interface to support the lightdm *-setup-script
> +##	options.  This will allow the command run by lightdm to
> +##	be run in a domain other than xdm_t.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to execute in.
> +##	</summary>
> +## </param>
> +## <param name="entry_file">
> +##	<summary>
> +##	Domain entry point file.
> +##	</summary>
> +## </param>
> +#
> +interface(`xdm_run_domain',`
> +	gen_require(`
> +		type xdm_t;
> +	')
> +
> +	domtrans_pattern(xdm_t,$2,$1)
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Use file descriptors for xdm.
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] Resolve some denials related to sending journal messages
  2019-04-08  0:52   ` Chris PeBenito
@ 2019-04-08 13:33     ` Sugar, David
  2019-04-08 13:41       ` Dominick Grift
  0 siblings, 1 reply; 7+ messages in thread
From: Sugar, David @ 2019-04-08 13:33 UTC (permalink / raw)
  To: Chris PeBenito, selinux-refpolicy


On 4/7/19 8:52 PM, Chris PeBenito wrote:
> On 4/4/19 8:29 AM, Sugar, David wrote:
>> type=AVC msg=audit(1554324562.840:159): avc:  denied  { sendto } for  
>> pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket" 
>> scontext=system_u:system_r:systemd_backlight_t:s0 
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>> permissive=1
>> type=AVC msg=audit(1554324271.863:245): avc:  denied  { sendto } for  
>> pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket" 
>> scontext=system_u:system_r:systemd_sessions_t:s0 
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>> permissive=0
>> type=AVC msg=audit(1554324635.844:313): avc:  denied  { sendto } for  
>> pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket" 
>> scontext=system_u:system_r:lvm_t:s0 
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>> permissive=1
>
> I think we've reached the limit of the explicit kernel_dgram_send() 
> and it's time to reevaluate putting this in logging_send_syslog_msg().
>
That makes sense.  I will submit a patch after I test a bit.  But it 
looks like everywhere (except the systemd module) that uses 
kernel_dgram_send() already has logging_send_syslog_msg() so once 
kernel_dgram_send() is added to logging_send_syslog_msg(), 
kernel_dgram_send() can removed from those domains.

The exceptions are:

1) In the systemd module there isn't much use of 
logging_send_syslog_msg().  For this case I will add 
logging_send_syslog_msg() as required.

2) In the interface init_daemon_domain(), it uses kernel_dgram_send() 
directly, there it probably doesn't need to use 
logging_send_syslog_msg(). This may be able to go away as modules might 
already use logging now, I will try removing and see what breaks.

>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/system/lvm.te     | 1 +
>>   policy/modules/system/systemd.te | 4 ++++
>>   2 files changed, 5 insertions(+)
>>
>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>> index ec3b4a18..aea199d4 100644
>> --- a/policy/modules/system/lvm.te
>> +++ b/policy/modules/system/lvm.te
>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, 
>> lvm_metadata_t, file)
>>   files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>>   files_search_mnt(lvm_t)
>>   +kernel_dgram_send(lvm_t)
>>   kernel_request_load_module(lvm_t)
>>   kernel_get_sysvipc_info(lvm_t)
>>   kernel_read_system_state(lvm_t)
>> diff --git a/policy/modules/system/systemd.te 
>> b/policy/modules/system/systemd.te
>> index f6455f6f..541117a9 100644
>> --- a/policy/modules/system/systemd.te
>> +++ b/policy/modules/system/systemd.te
>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>>   # for udev.conf
>>   files_read_etc_files(systemd_backlight_t)
>>   +kernel_dgram_send(systemd_backlight_t)
>> +
>>   # for /run/udev/data/+backlight*
>>   udev_read_pid_files(systemd_backlight_t)
>>   @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>>   allow systemd_sessions_t systemd_sessions_var_run_t:file 
>> manage_file_perms;
>>   files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, 
>> file)
>>   +kernel_dgram_send(systemd_sessions_t)
>> +
>>   selinux_get_enforce_mode(systemd_sessions_t)
>>   selinux_get_fs_mount(systemd_sessions_t)
>>
>
>

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] Resolve some denials related to sending journal messages
  2019-04-08 13:33     ` Sugar, David
@ 2019-04-08 13:41       ` Dominick Grift
  2019-04-08 13:56         ` Sugar, David
  0 siblings, 1 reply; 7+ messages in thread
From: Dominick Grift @ 2019-04-08 13:41 UTC (permalink / raw)
  To: Sugar\, David; +Cc: Chris PeBenito, selinux-refpolicy\

"Sugar, David" <dsugar@tresys.com> writes:


> On 4/7/19 8:52 PM, Chris PeBenito wrote:
>> On 4/4/19 8:29 AM, Sugar, David wrote:
>>> type=AVC msg=audit(1554324562.840:159): avc:  denied  { sendto } for  
>>> pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket" 
>>> scontext=system_u:system_r:systemd_backlight_t:s0 
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>>> permissive=1
>>> type=AVC msg=audit(1554324271.863:245): avc:  denied  { sendto } for  
>>> pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket" 
>>> scontext=system_u:system_r:systemd_sessions_t:s0 
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>>> permissive=0
>>> type=AVC msg=audit(1554324635.844:313): avc:  denied  { sendto } for  
>>> pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket" 
>>> scontext=system_u:system_r:lvm_t:s0 
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>>> permissive=1
>>
>> I think we've reached the limit of the explicit kernel_dgram_send() 
>> and it's time to reevaluate putting this in logging_send_syslog_msg().
>>
> That makes sense.  I will submit a patch after I test a bit.  But it 
> looks like everywhere (except the systemd module) that uses 
> kernel_dgram_send() already has logging_send_syslog_msg() so once 
> kernel_dgram_send() is added to logging_send_syslog_msg(), 
> kernel_dgram_send() can removed from those domains.
>
> The exceptions are:
>
> 1) In the systemd module there isn't much use of 
> logging_send_syslog_msg().  For this case I will add 
> logging_send_syslog_msg() as required.

see:

https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/systemd.te#L410

So "systemd_log_parse_environment()" implies "logging_send_syslog_msg()"

>
> 2) In the interface init_daemon_domain(), it uses kernel_dgram_send() 
> directly, there it probably doesn't need to use 
> logging_send_syslog_msg(). This may be able to go away as modules might 
> already use logging now, I will try removing and see what breaks.
>
>>
>>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>>> ---
>>>   policy/modules/system/lvm.te     | 1 +
>>>   policy/modules/system/systemd.te | 4 ++++
>>>   2 files changed, 5 insertions(+)
>>>
>>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>>> index ec3b4a18..aea199d4 100644
>>> --- a/policy/modules/system/lvm.te
>>> +++ b/policy/modules/system/lvm.te
>>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, 
>>> lvm_metadata_t, file)
>>>   files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>>>   files_search_mnt(lvm_t)
>>>   +kernel_dgram_send(lvm_t)
>>>   kernel_request_load_module(lvm_t)
>>>   kernel_get_sysvipc_info(lvm_t)
>>>   kernel_read_system_state(lvm_t)
>>> diff --git a/policy/modules/system/systemd.te 
>>> b/policy/modules/system/systemd.te
>>> index f6455f6f..541117a9 100644
>>> --- a/policy/modules/system/systemd.te
>>> +++ b/policy/modules/system/systemd.te
>>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>>>   # for udev.conf
>>>   files_read_etc_files(systemd_backlight_t)
>>>   +kernel_dgram_send(systemd_backlight_t)
>>> +
>>>   # for /run/udev/data/+backlight*
>>>   udev_read_pid_files(systemd_backlight_t)
>>>   @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>>>   allow systemd_sessions_t systemd_sessions_var_run_t:file 
>>> manage_file_perms;
>>>   files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, 
>>> file)
>>>   +kernel_dgram_send(systemd_sessions_t)
>>> +
>>>   selinux_get_enforce_mode(systemd_sessions_t)
>>>   selinux_get_fs_mount(systemd_sessions_t)
>>>
>>
>>

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH] Resolve some denials related to sending journal messages
  2019-04-08 13:41       ` Dominick Grift
@ 2019-04-08 13:56         ` Sugar, David
  0 siblings, 0 replies; 7+ messages in thread
From: Sugar, David @ 2019-04-08 13:56 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy



On 4/8/19 9:41 AM, Dominick Grift wrote:
> "Sugar, David" <dsugar@tresys.com> writes:
> 
> 
>> On 4/7/19 8:52 PM, Chris PeBenito wrote:
>>> On 4/4/19 8:29 AM, Sugar, David wrote:
>>>> type=AVC msg=audit(1554324562.840:159): avc:  denied  { sendto } for
>>>> pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:systemd_backlight_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=1
>>>> type=AVC msg=audit(1554324271.863:245): avc:  denied  { sendto } for
>>>> pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:systemd_sessions_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=0
>>>> type=AVC msg=audit(1554324635.844:313): avc:  denied  { sendto } for
>>>> pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:lvm_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=1
>>>
>>> I think we've reached the limit of the explicit kernel_dgram_send()
>>> and it's time to reevaluate putting this in logging_send_syslog_msg().
>>>
>> That makes sense.  I will submit a patch after I test a bit.  But it
>> looks like everywhere (except the systemd module) that uses
>> kernel_dgram_send() already has logging_send_syslog_msg() so once
>> kernel_dgram_send() is added to logging_send_syslog_msg(),
>> kernel_dgram_send() can removed from those domains.
>>
>> The exceptions are:
>>
>> 1) In the systemd module there isn't much use of
>> logging_send_syslog_msg().  For this case I will add
>> logging_send_syslog_msg() as required.
> 
> see:
> 
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/systemd.te#L410
> 
> So "systemd_log_parse_environment()" implies "logging_send_syslog_msg()"
> 

Thanks for that, I hadn't noticed.

>>
>> 2) In the interface init_daemon_domain(), it uses kernel_dgram_send()
>> directly, there it probably doesn't need to use
>> logging_send_syslog_msg(). This may be able to go away as modules might
>> already use logging now, I will try removing and see what breaks.
>>

Initial testing is showing this can be removed with no negative side 
effect (at least for the domains I'm using).  I will continue testing 
before submitting a patch.

>>>
>>>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>>>> ---
>>>>    policy/modules/system/lvm.te     | 1 +
>>>>    policy/modules/system/systemd.te | 4 ++++
>>>>    2 files changed, 5 insertions(+)
>>>>
>>>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>>>> index ec3b4a18..aea199d4 100644
>>>> --- a/policy/modules/system/lvm.te
>>>> +++ b/policy/modules/system/lvm.te
>>>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t,
>>>> lvm_metadata_t, file)
>>>>    files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>>>>    files_search_mnt(lvm_t)
>>>>    +kernel_dgram_send(lvm_t)
>>>>    kernel_request_load_module(lvm_t)
>>>>    kernel_get_sysvipc_info(lvm_t)
>>>>    kernel_read_system_state(lvm_t)
>>>> diff --git a/policy/modules/system/systemd.te
>>>> b/policy/modules/system/systemd.te
>>>> index f6455f6f..541117a9 100644
>>>> --- a/policy/modules/system/systemd.te
>>>> +++ b/policy/modules/system/systemd.te
>>>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>>>>    # for udev.conf
>>>>    files_read_etc_files(systemd_backlight_t)
>>>>    +kernel_dgram_send(systemd_backlight_t)
>>>> +
>>>>    # for /run/udev/data/+backlight*
>>>>    udev_read_pid_files(systemd_backlight_t)
>>>>    @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>>>>    allow systemd_sessions_t systemd_sessions_var_run_t:file
>>>> manage_file_perms;
>>>>    files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t,
>>>> file)
>>>>    +kernel_dgram_send(systemd_sessions_t)
>>>> +
>>>>    selinux_get_enforce_mode(systemd_sessions_t)
>>>>    selinux_get_fs_mount(systemd_sessions_t)
>>>>
>>>
>>>
> 

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-04 12:29 [PATCH] Add interface xdm_run_domain Sugar, David
2019-04-04 12:29 ` [PATCH] Resolve some denials related to sending journal messages Sugar, David
2019-04-08  0:52   ` Chris PeBenito
2019-04-08 13:33     ` Sugar, David
2019-04-08 13:41       ` Dominick Grift
2019-04-08 13:56         ` Sugar, David
2019-04-08  0:52 ` [PATCH] Add interface xdm_run_domain Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox