On 4/8/19 9:41 AM, Dominick Grift wrote:
> "Sugar, David" <dsugar@xxxxxxxxxx> writes:
>
>
>> On 4/7/19 8:52 PM, Chris PeBenito wrote:
>>> On 4/4/19 8:29 AM, Sugar, David wrote:
>>>> type=AVC msg=audit(1554324562.840:159): avc: denied { sendto } for
>>>> pid=7277 comm="systemd-backlig" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:systemd_backlight_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=1
>>>> type=AVC msg=audit(1554324271.863:245): avc: denied { sendto } for
>>>> pid=7421 comm="systemd-user-se" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:systemd_sessions_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=0
>>>> type=AVC msg=audit(1554324635.844:313): avc: denied { sendto } for
>>>> pid=7744 comm="systemd-cryptse" path="/run/systemd/journal/socket"
>>>> scontext=system_u:system_r:lvm_t:s0
>>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>>> permissive=1
>>>
>>> I think we've reached the limit of the explicit kernel_dgram_send()
>>> and it's time to reevaluate putting this in logging_send_syslog_msg().
>>>
>> That makes sense. I will submit a patch after I test a bit. But it
>> looks like everywhere (except the systemd module) that uses
>> kernel_dgram_send() already has logging_send_syslog_msg() so once
>> kernel_dgram_send() is added to logging_send_syslog_msg(),
>> kernel_dgram_send() can removed from those domains.
>>
>> The exceptions are:
>>
>> 1) In the systemd module there isn't much use of
>> logging_send_syslog_msg(). For this case I will add
>> logging_send_syslog_msg() as required.
>
> see:
>
> https://github.com/SELinuxProject/refpolicy/blob/master/policy/modules/system/systemd.te#L410
>
> So "systemd_log_parse_environment()" implies "logging_send_syslog_msg()"
>
Thanks for that, I hadn't noticed.
>>
>> 2) In the interface init_daemon_domain(), it uses kernel_dgram_send()
>> directly, there it probably doesn't need to use
>> logging_send_syslog_msg(). This may be able to go away as modules might
>> already use logging now, I will try removing and see what breaks.
>>
Initial testing is showing this can be removed with no negative side
effect (at least for the domains I'm using). I will continue testing
before submitting a patch.
>>>
>>>> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
>>>> ---
>>>> policy/modules/system/lvm.te | 1 +
>>>> policy/modules/system/systemd.te | 4 ++++
>>>> 2 files changed, 5 insertions(+)
>>>>
>>>> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
>>>> index ec3b4a18..aea199d4 100644
>>>> --- a/policy/modules/system/lvm.te
>>>> +++ b/policy/modules/system/lvm.te
>>>> @@ -222,6 +222,7 @@ filetrans_pattern(lvm_t, lvm_etc_t,
>>>> lvm_metadata_t, file)
>>>> files_etc_filetrans(lvm_t, lvm_metadata_t, file)
>>>> files_search_mnt(lvm_t)
>>>> +kernel_dgram_send(lvm_t)
>>>> kernel_request_load_module(lvm_t)
>>>> kernel_get_sysvipc_info(lvm_t)
>>>> kernel_read_system_state(lvm_t)
>>>> diff --git a/policy/modules/system/systemd.te
>>>> b/policy/modules/system/systemd.te
>>>> index f6455f6f..541117a9 100644
>>>> --- a/policy/modules/system/systemd.te
>>>> +++ b/policy/modules/system/systemd.te
>>>> @@ -228,6 +228,8 @@ dev_rw_sysfs(systemd_backlight_t)
>>>> # for udev.conf
>>>> files_read_etc_files(systemd_backlight_t)
>>>> +kernel_dgram_send(systemd_backlight_t)
>>>> +
>>>> # for /run/udev/data/+backlight*
>>>> udev_read_pid_files(systemd_backlight_t)
>>>> @@ -981,6 +983,8 @@ allow systemd_sessions_t self:process setfscreate;
>>>> allow systemd_sessions_t systemd_sessions_var_run_t:file
>>>> manage_file_perms;
>>>> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t,
>>>> file)
>>>> +kernel_dgram_send(systemd_sessions_t)
>>>> +
>>>> selinux_get_enforce_mode(systemd_sessions_t)
>>>> selinux_get_fs_mount(systemd_sessions_t)
>>>>
>>>
>>>
>
