selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Sugar, David" <dsugar@tresys.com>
To: Russell Coker <russell@coker.com.au>
Cc: "selinux-refpolicy@vger.kernel.org"  <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 3/3] Some items that seem they can be dontaudited for plymouthd
Date: Sat, 13 Apr 2019 03:26:06 +0000	[thread overview]
Message-ID: <a539292f-7396-acb3-cb5e-e3415d5cf861@tresys.com> (raw)
In-Reply-To: <2319520.MOiGnKPAe5@liv>



On 4/12/19 10:33 PM, Russell Coker wrote:
> What is netlink_kobject_uevent_socket?  Do we have a place we can document
> this sort of thing to make it easier to determine whether access is required
> and what the implications of such access are?
> 

I'm really not sure either.  But, please note, that this patch is 
dontaudit rules to quiet some denials that didn't seem to have any 
negative side effect.  If this patch isn't applied things will still 
function, just have some entries in the audit logs.

> On Saturday, 13 April 2019 5:39:32 AM AEST Sugar, David wrote:
>> type=AVC msg=audit(1554983723.772:784): avc:  denied  { create } for
>> pid=8123 comm="plymouthd" scontext=system_u:system_r:plymouthd_t:s0
>> tcontext=system_u:system_r:plymouthd_t:s0
>> tclass=netlink_kobject_uevent_socket permissive=0
>   
>> type=AVC msg=audit(1555070131.882:1648): avc:  denied  { getattr } for
>> pid=8634 comm="plymouthd" path="/run/udev/data/c226:0" dev="tmpfs"
>> ino=29946 scontext=system_u:system_r:plymouthd_t:s0
>> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1555070131.903:1652): avc:  denied  { open } for
>> pid=8634 comm="plymouthd" path="/run/udev/data/+drm:card0-DP-1" dev="tmpfs"
>> ino=31856 scontext=system_u:system_r:plymouthd_t:s0
>> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
>> type=AVC msg=audit(1555070131.903:1652): avc:  denied  { read } for
>> pid=8634 comm="plymouthd" name="+drm:card0-DP-1" dev="tmpfs" ino=31856
>> scontext=system_u:system_r:plymouthd_t:s0
>> tcontext=system_u:object_r:udev_var_run_t:s0 tclass=file permissive=1
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/services/plymouthd.te | 5 +++++
>>   1 file changed, 5 insertions(+)
>>
>> diff --git a/policy/modules/services/plymouthd.te
>> b/policy/modules/services/plymouthd.te
>   index 835ee035..6352375d 100644
>> --- a/policy/modules/services/plymouthd.te
>> +++ b/policy/modules/services/plymouthd.te
>> @@ -38,6 +38,7 @@ dontaudit plymouthd_t self:capability dac_override;
>>   allow plymouthd_t self:capability2 block_suspend;
>>   allow plymouthd_t self:process { signal getsched };
>>   allow plymouthd_t self:fifo_file rw_fifo_file_perms;
>> +dontaudit plymouthd_t self:netlink_kobject_uevent_socket create;
>>   allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
>>   
>>   manage_dirs_pattern(plymouthd_t, plymouthd_spool_t, plymouthd_spool_t)
>> @@ -87,6 +88,10 @@ optional_policy(`
>>   	gnome_read_generic_home_content(plymouthd_t)
>>   ')
>>   
>> +optional_policy(`
>> +	udev_dontaudit_rw_pid_files(plymouthd_t)
>> +')
>> +
>>   optional_policy(`
>>   	sssd_stream_connect(plymouthd_t)
>>   ')
>> -- 
>> 2.20.1
>>
> 
> 

  reply	other threads:[~2019-04-13  3:26 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-12 19:39 [PATCH 0/3] Resolve issues with plymouth in enforcing Sugar, David
2019-04-12 19:39 ` [PATCH 1/3] Allow xdm (lightdm) execute plymouth Sugar, David
2019-04-17  2:49   ` Sugar, David
2019-04-23 22:31   ` Chris PeBenito
2019-04-12 19:39 ` [PATCH 2/3] Changes to support plymouth working in enforcing Sugar, David
2019-04-13  2:43   ` Russell Coker
2019-04-13  3:23     ` Sugar, David
2019-04-13  4:24       ` Russell Coker
2019-04-13  7:51         ` Dominick Grift
2019-04-17  2:51           ` Sugar, David
2019-04-23 22:31   ` Chris PeBenito
2019-04-12 19:39 ` [PATCH 3/3] Some items that seem they can be dontaudited for plymouthd Sugar, David
2019-04-13  2:33   ` Russell Coker
2019-04-13  3:26     ` Sugar, David [this message]
2019-04-13  4:24       ` Russell Coker
2019-04-13  7:54         ` Dominick Grift
2019-04-17  2:53           ` Sugar, David
2019-04-14 17:49     ` Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a539292f-7396-acb3-cb5e-e3415d5cf861@tresys.com \
    --to=dsugar@tresys.com \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).