Re: [PATCH] systemd related interfaces

[Chris PeBenito <pebenito@xxxxxxxx>]

On 1/5/19 4:49 PM, Dominick Grift wrote:
> Nicolas Iooss <nicolas.iooss@xxxxxxx> writes:
>
> > On Sat, Jan 5, 2019 at 8:39 PM Chris PeBenito <pebenito@xxxxxxxx> wrote:
> > > On 1/4/19 2:51 AM, Russell Coker wrote:
> > > > This patch has interface changes related to systemd support as well as policy
> > > > that uses the new interfaces.
> > > > [...]
> > > > Index: refpolicy-2.20180701/policy/modules/system/logging.te
> > > > ===================================================================
> > > > --- refpolicy-2.20180701.orig/policy/modules/system/logging.te
> > > > +++ refpolicy-2.20180701/policy/modules/system/logging.te
> > > > @@ -541,15 +541,19 @@ ifdef(`init_systemd',`
> > > >        dev_read_urand(syslogd_t)
> > > >        dev_write_kmsg(syslogd_t)
> > > >
> > > > +     domain_getattr_all_domains(syslogd_t)
> > > >        domain_read_all_domains_state(syslogd_t)
> > > >
> > > >        init_create_pid_dirs(syslogd_t)
> > > >        init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
> > > > +     init_getattr(syslogd_t)
> > > >        init_rename_pid_files(syslogd_t)
> > > >        init_delete_pid_files(syslogd_t)
> > > >        init_dgram_send(syslogd_t)
> > > >        init_read_pid_pipes(syslogd_t)
> > > >        init_read_state(syslogd_t)
> > > > +     # for /run/systemd/units/invocation:* links
> > > > +     init_read_unit_links(syslogd_t)
> > > >
> > > >        systemd_manage_journal_files(syslogd_t)
> >
> > This change has not been merged and I see the relevant AVC on an Arch
> > Linux virtual machine (using systemd 239.370):
> >
> > type=AVC msg=audit(1546723651.696:2091): avc:  denied  { read } for
> > pid=240 comm="systemd-journal" name="invocation:user@1000.service"
> > dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
> > tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
> > type=AVC msg=audit(1546723651.799:2092): avc:  denied  { read } for
> > pid=240 comm="systemd-journal" name="invocation:dbus.service"
> > dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
> > tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
>
> This should be ok to allow, afaik only journald reads these
> symlinks.
>
> > What prevented init_read_unit_links(syslogd_t) from being added?

I missed putting in my reason in the previous email.  Your denial is for 
init_var_run_t:lnk_file access and the change was for 
systemd_unit_t:lnk_file.  What you're seeing makes more sense to me.  As 
far as I can tell, there should be no systemd_unit_t symlinks, and I'd 
prefer to keep it that way, if possible.

--
Chris PeBenito