SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: "Sugar, David" <dsugar@tresys.com>
To: Russell Coker <russell@coker.com.au>
Cc: "selinux-refpolicy@vger.kernel.org"  <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 3/3] Some items that seem they can be dontaudited for plymouthd
Date: Sat, 13 Apr 2019 03:26:06 +0000
Message-ID: <a539292f-7396-acb3-cb5e-e3415d5cf861@tresys.com> (raw)
In-Reply-To: <2319520.MOiGnKPAe5@liv>



On 4/12/19 10:33 PM, Russell Coker wrote:
> What is netlink_kobject_uevent_socket?  Do we have a place we can document
> this sort of thing to make it easier to determine whether access is required
> and what the implications of such access are?
> 

I'm really not sure either.  But, please note, that this patch is 
dontaudit rules to quiet some denials that didn't seem to have any 
negative side effect.  If this patch isn't applied things will still 
function, just have some entries in the audit logs.

> On Saturday, 13 April 2019 5:39:32 AM AEST Sugar, David wrote:
>> type=AVC msg=audit(1554983723.772:784): avc:  denied  { create } for
>> pid=8123 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0
>> tcontext=system_u:system_r:plymouthd_t:s0
>> tclass=netlink_kobject_uevent_socket permissive=0
>   
>> type=AVC msg=audit(1555070131.882:1648): avc:  denied  { getattr } for
>> pid=8634 comm="plymouthd" path="/run/udev/data/c226:0" dev="tmpfs"
>> ino=29946 scontext=system_u:system_r:plymouthd_t:s0
>> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1555070131.903:1652): avc:  denied  { open } for
>> pid=8634 comm="plymouthd" path="/run/udev/data/+drm:card0-DP-1" dev="tmpfs"
>> ino=31856 scontext=system_u:system_r:plymouthd_t:s0
>> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1555070131.903:1652): avc:  denied  { read } for
>> pid=8634 comm="plymouthd" name="+drm:card0-DP-1" dev="tmpfs" ino=31856
>> scontext=system_u:system_r:plymouthd_t:s0
>> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/services/plymouthd.te | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/policy/modules/services/plymouthd.te
>> b/policy/modules/services/plymouthd.te
>   index 835ee035..6352375d 100644
>> --- a/policy/modules/services/plymouthd.te
>> +++ b/policy/modules/services/plymouthd.te
>> @@ -38,6 +38,7 @@ dontaudit plymouthd_t self:capability dac_override;
>>   allow plymouthd_t self:capability2 block_suspend;
>>   allow plymouthd_t self:process { signal getsched };
>>   allow plymouthd_t self:fifo_file rw_fifo_file_perms;
>> +dontaudit plymouthd_t self:netlink_kobject_uevent_socket create;
>>   allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
>>   
>>   manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
>> @@ -87,6 +88,10 @@ optional_policy(`
>>   	gnome_read_generic_home_content(plymouthd_t)
>>   ')
>>   
>> +optional_policy(`
>> +	udev_dontaudit_rw_pid_files(plymouthd_t)
>> +')
>> +
>>   optional_policy(`
>>   	sssd_stream_connect(plymouthd_t)
>>   ')
>> -- 
>> 2.20.1
>>
> 
> 

  reply index

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-12 19:39 [PATCH 0/3] Resolve issues with plymouth in enforcing Sugar, David
2019-04-12 19:39 ` [PATCH 1/3] Allow xdm (lightdm) execute plymouth Sugar, David
2019-04-17  2:49   ` Sugar, David
2019-04-23 22:31   ` Chris PeBenito
2019-04-12 19:39 ` [PATCH 2/3] Changes to support plymouth working in enforcing Sugar, David
2019-04-13  2:43   ` Russell Coker
2019-04-13  3:23     ` Sugar, David
2019-04-13  4:24       ` Russell Coker
2019-04-13  7:51         ` Dominick Grift
2019-04-17  2:51           ` Sugar, David
2019-04-23 22:31   ` Chris PeBenito
2019-04-12 19:39 ` [PATCH 3/3] Some items that seem they can be dontaudited for plymouthd Sugar, David
2019-04-13  2:33   ` Russell Coker
2019-04-13  3:26     ` Sugar, David [this message]
2019-04-13  4:24       ` Russell Coker
2019-04-13  7:54         ` Dominick Grift
2019-04-17  2:53           ` Sugar, David
2019-04-14 17:49     ` Chris PeBenito

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a539292f-7396-acb3-cb5e-e3415d5cf861@tresys.com \
    --to=dsugar@tresys.com \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox