On Sun, Jan 6, 2019 at 8:14 PM Chris PeBenito <pebenito@xxxxxxxx> wrote:
>
> On 1/5/19 4:49 PM, Dominick Grift wrote:
> > Nicolas Iooss <nicolas.iooss@xxxxxxx> writes:
> >
> >> On Sat, Jan 5, 2019 at 8:39 PM Chris PeBenito <pebenito@xxxxxxxx> wrote:
> >>>
> >>> On 1/4/19 2:51 AM, Russell Coker wrote:
> >>>> This patch has interface changes related to systemd support as well as policy
> >>>> that uses the new interfaces.
> >>>> [...]
> >>>> Index: refpolicy-2.20180701/policy/modules/system/logging.te
> >>>> ===================================================================
> >>>> --- refpolicy-2.20180701.orig/policy/modules/system/logging.te
> >>>> +++ refpolicy-2.20180701/policy/modules/system/logging.te
> >>>> @@ -541,15 +541,19 @@ ifdef(`init_systemd',`
> >>>> dev_read_urand(syslogd_t)
> >>>> dev_write_kmsg(syslogd_t)
> >>>>
> >>>> + domain_getattr_all_domains(syslogd_t)
> >>>> domain_read_all_domains_state(syslogd_t)
> >>>>
> >>>> init_create_pid_dirs(syslogd_t)
> >>>> init_daemon_pid_file(syslogd_var_run_t, dir, "syslogd")
> >>>> + init_getattr(syslogd_t)
> >>>> init_rename_pid_files(syslogd_t)
> >>>> init_delete_pid_files(syslogd_t)
> >>>> init_dgram_send(syslogd_t)
> >>>> init_read_pid_pipes(syslogd_t)
> >>>> init_read_state(syslogd_t)
> >>>> + # for /run/systemd/units/invocation:* links
> >>>> + init_read_unit_links(syslogd_t)
> >>>>
> >>>> systemd_manage_journal_files(syslogd_t)
> >>>>
> >>
> >> This change has not been merged and I see the relevant AVC on an Arch
> >> Linux virtual machine (using systemd 239.370):
> >>
> >> type=AVC msg=audit(1546723651.696:2091): avc: denied { read } for
> >> pid=240 comm="systemd-journal" name="invocation:user@1000.service"
> >> dev="tmpfs" ino=17614 scontext=system_u:system_r:syslogd_t
> >> tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
> >> type=AVC msg=audit(1546723651.799:2092): avc: denied { read } for
> >> pid=240 comm="systemd-journal" name="invocation:dbus.service"
> >> dev="tmpfs" ino=12542 scontext=system_u:system_r:syslogd_t
> >> tcontext=system_u:object_r:init_var_run_t tclass=lnk_file permissive=0
> >
> > This should be ok to allow, afaik only journald reads these
> > symlinks.
> >
> >>
> >> What prevented init_read_unit_links(syslogd_t) from being added?
>
> I missed putting in my reason in the previous email. Your denial is for
> init_var_run_t:lnk_file access and the change was for
> systemd_unit_t:lnk_file. What you're seeing makes more sense to me. As
> far as I can tell, there should be no systemd_unit_t symlinks, and I'd
> prefer to keep it that way, if possible.
The search_dirs_pattern($1, init_var_run_t, systemd_unit_t) was indeed
not useful here. I have created a Pull Request fixing this on
https://github.com/SELinuxProject/refpolicy/pull/17 .
By the way, I do pull requests because I find them simpler to handle
from my side (because I have too many emails in my inbox), but if you
prefer that I post the patches on the list, I can do that instead. It
would be useful for the project to have a CONTRIBUTING file describing
the preferred way of sending patches or reporting issues, or to have
such information in the README file.
Thanks,
Nicolas
