Re: [PATCH] Resolve some denials related to sending journal messages

[Dominick Grift <dac.override@xxxxxxxxx>]

"Sugar, David" <dsugar@xxxxxxxxxx> writes:


> On 4/7/19 8:52 PM, Chris PeBenito wrote:
>> On 4/4/19 8:29 AM, Sugar, David wrote:
>>> type=AVC msg=audit(1554324562.840:159): avc:  denied  { sendto } for  
>>> pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket" 
>>> scontext=system_u:system_r:systemd_backlight_t:s0 
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>>> permissive=1
>>> type=AVC msg=audit(1554324271.863:245): avc:  denied  { sendto } for  
>>> pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket" 
>>> scontext=system_u:system_r:systemd_sessions_t:s0 
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>>> permissive=0
>>> type=AVC msg=audit(1554324635.844:313): avc:  denied  { sendto } for  
>>> pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket" 
>>> scontext=system_u:system_r:lvm_t:s0 
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket 
>>> permissive=1
>>
>> I think we've reached the limit of the explicit kernel_dgram_send() 
>> and it's time to reevaluate putting this in logging_send_syslog_msg().
>>
> That makes sense.  I will submit a patch after I test a bit.  But it 
> looks like everywhere (except the systemd module) that uses 
> kernel_dgram_send() already has logging_send_syslog_msg() so once 
> kernel_dgram_send() is added to logging_send_syslog_msg(), 
> kernel_dgram_send() can removed from those domains.
>
> The exceptions are:
>
> 1) In the systemd module there isn't much use of 
> logging_send_syslog_msg().  For this case I will add 
> logging_send_syslog_msg() as required.

see:

https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/systemd.te#L410

So "systemd_log_parse_environment()" implies "logging_send_syslog_msg()"

>
> 2) In the interface init_daemon_domain(), it uses kernel_dgram_send() 
> directly, there it probably doesn't need to use 
> logging_send_syslog_msg(). This may be able to go away as modules might 
> already use logging now, I will try removing and see what breaks.
>
>>
>>> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
>>> ---
>>>   policy/modules/system/lvm.te     | 1 +
>>>   policy/modules/system/systemd.te | 4 ++++
>>>   2 files changed, 5 insertions(+)
>>>
>>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>>> index ec3b4a18..aea199d4 100644
>>> --- a/policy/modules/system/lvm.te
>>> +++ b/policy/modules/system/lvm.te
>>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t, 
>>> lvm_metadata_t, file)
>>>   files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>>>   files_search_mnt(lvm_t)
>>>   +kernel_dgram_send(lvm_t)
>>>   kernel_request_load_module(lvm_t)
>>>   kernel_get_sysvipc_info(lvm_t)
>>>   kernel_read_system_state(lvm_t)
>>> diff --git a/policy/modules/system/systemd.te 
>>> b/policy/modules/system/systemd.te
>>> index f6455f6f..541117a9 100644
>>> --- a/policy/modules/system/systemd.te
>>> +++ b/policy/modules/system/systemd.te
>>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>>>   # for udev.conf
>>>   files_read_etc_files(systemd_backlight_t)
>>>   +kernel_dgram_send(systemd_backlight_t)
>>> +
>>>   # for /run/udev/data/+backlight*
>>>   udev_read_pid_files(systemd_backlight_t)
>>>   @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>>>   allow systemd_sessions_t systemd_sessions_var_run_t:file 
>>> manage_file_perms;
>>>   files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, 
>>> file)
>>>   +kernel_dgram_send(systemd_sessions_t)
>>> +
>>>   selinux_get_enforce_mode(systemd_sessions_t)
>>>   selinux_get_fs_mount(systemd_sessions_t)
>>>
>>
>>

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift