From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3D185C43387 for ; Sat, 5 Jan 2019 21:49:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E9F13222EE for ; Sat, 5 Jan 2019 21:49:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="HkFISEXA" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726335AbfAEVtZ (ORCPT ); Sat, 5 Jan 2019 16:49:25 -0500 Received: from mail-ed1-f65.google.com ([209.85.208.65]:45304 "EHLO mail-ed1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726318AbfAEVtZ (ORCPT ); Sat, 5 Jan 2019 16:49:25 -0500 Received: by mail-ed1-f65.google.com with SMTP id d39so34651584edb.12 for ; Sat, 05 Jan 2019 13:49:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version; bh=L1dy17Nc6ZQkZykTGBK5ZtRyqhGITgqj4cnpLlfbPP4=; b=HkFISEXAuQQrEl+LXs8nGOJGwzNNeyl6ggSL2uMw5OPImYyeldouviK2oypUtS/RMq ewIq4g9+6Um3k2Cvy0j++3366RvesHbjokS9Bd1CpJzf5qYIVKDki7hTqN9sgk/pRn10 t6QHb0+dC5j4Pm1hQ7JF/NkIuSa7dmfclUTdJs9A9ftMuE9kKkeSvY364x9e7RIjs6qY 08Q0Xm7dWLNGDRElk3IJVdWmqCa5H+o/mHZPi3xq9emUKPLdzypHXRio1Gj74NqZkspn yzEiWTg77yr6mpZVim5q/O7GkHrFqaRBlgha60XajY+kiqUJGUFj6xfddqjw1QqG9Q4i TcXQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version; bh=L1dy17Nc6ZQkZykTGBK5ZtRyqhGITgqj4cnpLlfbPP4=; b=VAOWw/nQRcta1tKvEbPW4Wy7D1Y1Cc5JuSL8LsyntjYIlJ0KlisP9T70OqYf3+PXBq 3CKdcgBSl3mtPTuy0zDj/WUozpMzANqIahQTsxJiLHRpNVGkmGm76Vt7yK7r1ILZ4C3A RX1D2HE+xO4PABG2LnQQbjSgMZwzMAY6or1Sr0NILepv7Z1TVfnOu1HK8T2BFg9dQXOq g3/Zovfy8ui3H6mtzBYpeETkPZadX/LAlofZJxHOv4a2oEZm09gsgeryUaP3TtoyZ3YH f71/QDTgPbVl2WJFyEhcg8TwFNrzeu4xvuY42n+v3/OXTWmizFF6FqKEi3rlUZId3NzD tYQg== X-Gm-Message-State: AA+aEWZyWC60vGRQsrE5Z8hfJQPIO9DlPE2q3jzwFAE3q+S28tXfUzEi XCm+CnygdmZcjVmusT54qS9dz3BEC0o= X-Google-Smtp-Source: AFSGD/UvLdTVdtkPwOmbmQMmodahD6aUcTARXG3DNzwF96D1WzHx3p9ikgeC/7NVXD0HV7Gh7+vVog== X-Received: by 2002:a17:906:2452:: with SMTP id a18-v6mr41774752ejb.17.1546724963638; Sat, 05 Jan 2019 13:49:23 -0800 (PST) Received: from brutus ([2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id gz20-v6sm16099355ejb.56.2019.01.05.13.49.22 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Sat, 05 Jan 2019 13:49:23 -0800 (PST) From: Dominick Grift To: Nicolas Iooss Cc: Chris PeBenito , selinux-refpolicy@vger.kernel.org, Russell Coker Subject: Re: [PATCH] systemd related interfaces References: <20190104075118.GA11721@aaa.coker.com.au> <9821c420-35c9-9901-d666-7e23242f9a6e@ieee.org> Date: Sat, 05 Jan 2019 22:49:22 +0100 In-Reply-To: (Nicolas Iooss's message of "Sat, 5 Jan 2019 22:39:55 +0100") Message-ID: <87pnta93ml.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Nicolas Iooss writes: > On Sat, Jan 5, 2019 at 8:39 PM Chris PeBenito wrote: >> >> On 1/4/19 2:51 AM, Russell Coker wrote: >> > This patch has interface changes related to systemd support as well as policy >> > that uses the new interfaces. >> > [...] >> > Index: refpolicy-2.20180701/policy/modules/system/logging.te >> > =================================================================== >> > --- refpolicy-2.20180701.orig/policy/modules/system/logging.te >> > +++ refpolicy-2.20180701/policy/modules/system/logging.te >> > @@ -541,15 +541,19 @@ ifdef(`init_systemd',` >> > dev_read_urand(syslogd_t) >> > dev_write_kmsg(syslogd_t) >> > >> > + domain_getattr_all_domains(syslogd_t) >> > domain_read_all_domains_state(syslogd_t) >> > >> > init_create_pid_dirs(syslogd_t) >> > init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd") >> > + init_getattr(syslogd_t) >> > init_rename_pid_files(syslogd_t) >> > init_delete_pid_files(syslogd_t) >> > init_dgram_send(syslogd_t) >> > init_read_pid_pipes(syslogd_t) >> > init_read_state(syslogd_t) >> > + # for /run/systemd/units/invocation:* links >> > + init_read_unit_links(syslogd_t) >> > >> > systemd_manage_journal_files(syslogd_t) >> > > > This change has not been merged and I see the relevant AVC on an Arch > Linux virtual machine (using systemd 239.370): > > type=AVC msg=audit(1546723651.696:2091): avc: denied { read } for > pid=240 comm="systemd-journal" name="invocation:user@1000.service" > dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t > tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0 > type=AVC msg=audit(1546723651.799:2092): avc: denied { read } for > pid=240 comm="systemd-journal" name="invocation:dbus.service" > dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t > tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0 This should be ok to allow, afaik only journald reads these symlinks. > > What prevented init_read_unit_links(syslogd_t) from being added? > > Nicolas > -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift