[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/

["Jason Zaman" <perfinion@gentoo.org>]

commit:     4ca347319929cb5a24faf7eb587cabda640f28bd
Author:     Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Thu Aug 13 06:44:22 2020 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ca34731

Allow use of systemd UNIX sockets created at initrd execution

Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.

Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.

Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.

Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.

[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714

Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>

tmp

Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>

 policy/modules/kernel/kernel.if  | 18 ++++++++++++++++++
 policy/modules/system/init.te    |  5 +++++
 policy/modules/system/logging.if |  5 ++---
 policy/modules/system/logging.te |  7 ++++---
 4 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index ebd73aca..18002e67 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -365,6 +365,24 @@ interface(`kernel_dgram_send',`
 	allow $1 kernel_t:unix_dgram_socket sendto;
 ')
 
+########################################
+## <summary>
+##	Send messages to kernel netlink audit sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_netlink_audit_sockets',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:netlink_audit_socket { rw_netlink_socket_perms };
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to load kernel modules

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ba82d84a..f711e535 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -312,6 +312,8 @@ ifdef(`init_systemd',`
 	kernel_setsched(init_t)
 	kernel_link_key(init_t)
 	kernel_rw_unix_sysctls(init_t)
+	kernel_rw_stream_sockets(init_t)
+	kernel_rw_unix_dgram_sockets(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
@@ -1032,6 +1034,9 @@ ifdef(`init_systemd',`
 	allow initrc_t systemdunit:service reload;
 	allow initrc_t init_script_file_type:service { stop start status reload };
 
+	# Access to notify socket for services with Type=notify
+	kernel_dgram_send(initrc_t)
+
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
 	# done in traditional sysvinit/upstart.

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 0f6efef8..e3851303 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -681,10 +681,9 @@ interface(`logging_send_syslog_msg',`
 		# Allow systemd-journald to check whether the process died
 		allow syslogd_t $1:process signull;
 
-		ifdef(`distro_redhat',`
-			kernel_dgram_send($1)
-		')
+		kernel_dgram_send($1)
 	')
+
 ')
 
 ########################################

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index fb0fe124..a6868af0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -501,9 +501,6 @@ auth_use_nsswitch(syslogd_t)
 
 init_use_fds(syslogd_t)
 
-# cjp: this doesnt make sense
-logging_send_syslog_msg(syslogd_t)
-
 miscfiles_read_localization(syslogd_t)
 
 seutil_read_config(syslogd_t)
@@ -525,6 +522,7 @@ ifdef(`init_systemd',`
 	kernel_read_ring_buffer(syslogd_t)
 	kernel_rw_stream_sockets(syslogd_t)
 	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_rw_netlink_audit_sockets(syslogd_t)
 	kernel_use_fds(syslogd_t)
 
 	dev_read_kmsg(syslogd_t)
@@ -544,6 +542,9 @@ ifdef(`init_systemd',`
 	init_read_runtime_symlinks(syslogd_t)
 	init_read_state(syslogd_t)
 
+	# needed for systemd-initrd case when syslog socket is unlabelled
+	logging_send_syslog_msg(syslogd_t)
+
 	systemd_manage_journal_files(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)