From: "Jason Zaman" <perfinion@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/
Date: Sun, 21 Mar 2021 22:10:57 +0000 (UTC) [thread overview]
Message-ID: <1613418564.4ca347319929cb5a24faf7eb587cabda640f28bd.perfinion@gentoo> (raw)
commit: 4ca347319929cb5a24faf7eb587cabda640f28bd
Author: Krzysztof Nowicki <krissn <AT> op <DOT> pl>
AuthorDate: Thu Aug 13 06:44:22 2020 +0000
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Feb 15 19:49:24 2021 +0000
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=4ca34731
Allow use of systemd UNIX sockets created at initrd execution
Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.
Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.
Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.
Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.
[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714
Signed-off-by: Krzysztof Nowicki <krissn <AT> op.pl>
tmp
Signed-off-by: Jason Zaman <perfinion <AT> gentoo.org>
policy/modules/kernel/kernel.if | 18 ++++++++++++++++++
policy/modules/system/init.te | 5 +++++
policy/modules/system/logging.if | 5 ++---
policy/modules/system/logging.te | 7 ++++---
4 files changed, 29 insertions(+), 6 deletions(-)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index ebd73aca..18002e67 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -365,6 +365,24 @@ interface(`kernel_dgram_send',`
allow $1 kernel_t:unix_dgram_socket sendto;
')
+########################################
+## <summary>
+## Send messages to kernel netlink audit sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_rw_netlink_audit_sockets',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:netlink_audit_socket { rw_netlink_socket_perms };
+')
+
########################################
## <summary>
## Allows caller to load kernel modules
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index ba82d84a..f711e535 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -312,6 +312,8 @@ ifdef(`init_systemd',`
kernel_setsched(init_t)
kernel_link_key(init_t)
kernel_rw_unix_sysctls(init_t)
+ kernel_rw_stream_sockets(init_t)
+ kernel_rw_unix_dgram_sockets(init_t)
# run systemd misc initializations
# in the initrc_t domain, as would be
@@ -1032,6 +1034,9 @@ ifdef(`init_systemd',`
allow initrc_t systemdunit:service reload;
allow initrc_t init_script_file_type:service { stop start status reload };
+ # Access to notify socket for services with Type=notify
+ kernel_dgram_send(initrc_t)
+
# run systemd misc initializations
# in the initrc_t domain, as would be
# done in traditional sysvinit/upstart.
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 0f6efef8..e3851303 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -681,10 +681,9 @@ interface(`logging_send_syslog_msg',`
# Allow systemd-journald to check whether the process died
allow syslogd_t $1:process signull;
- ifdef(`distro_redhat',`
- kernel_dgram_send($1)
- ')
+ kernel_dgram_send($1)
')
+
')
########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index fb0fe124..a6868af0 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -501,9 +501,6 @@ auth_use_nsswitch(syslogd_t)
init_use_fds(syslogd_t)
-# cjp: this doesnt make sense
-logging_send_syslog_msg(syslogd_t)
-
miscfiles_read_localization(syslogd_t)
seutil_read_config(syslogd_t)
@@ -525,6 +522,7 @@ ifdef(`init_systemd',`
kernel_read_ring_buffer(syslogd_t)
kernel_rw_stream_sockets(syslogd_t)
kernel_rw_unix_dgram_sockets(syslogd_t)
+ kernel_rw_netlink_audit_sockets(syslogd_t)
kernel_use_fds(syslogd_t)
dev_read_kmsg(syslogd_t)
@@ -544,6 +542,9 @@ ifdef(`init_systemd',`
init_read_runtime_symlinks(syslogd_t)
init_read_state(syslogd_t)
+ # needed for systemd-initrd case when syslog socket is unlabelled
+ logging_send_syslog_msg(syslogd_t)
+
systemd_manage_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
next reply other threads:[~2021-03-21 22:11 UTC|newest]
Thread overview: 62+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-21 22:10 Jason Zaman [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-03-01 19:56 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Kenton Groombridge
2023-10-06 16:44 Kenton Groombridge
2023-02-13 15:35 Kenton Groombridge
2022-12-13 20:55 Kenton Groombridge
2022-09-03 19:10 Jason Zaman
2020-11-28 23:09 Jason Zaman
2020-10-13 3:02 Jason Zaman
2020-02-15 7:33 Jason Zaman
2020-02-15 7:33 Jason Zaman
2018-03-25 10:29 Sven Vermeulen
2018-02-18 11:30 Jason Zaman
2017-11-05 8:01 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-10-29 20:42 Jason Zaman
2017-05-25 17:08 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2017-05-25 16:43 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2017-05-18 17:03 Sven Vermeulen
2017-05-18 17:03 Sven Vermeulen
2017-05-07 16:09 Jason Zaman
2017-04-10 16:59 Sven Vermeulen
2017-03-02 10:17 Sven Vermeulen
2017-02-27 10:50 Jason Zaman
2017-02-25 16:58 [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/kernel/, policy/modules/system/ Jason Zaman
2017-02-25 16:58 ` [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/ Jason Zaman
2017-02-17 8:44 Jason Zaman
2017-01-01 16:36 Jason Zaman
2016-12-06 12:26 Jason Zaman
2016-06-02 6:32 Jason Zaman
2016-05-13 5:37 Jason Zaman
2016-05-13 5:37 Jason Zaman
2016-01-30 17:21 Jason Zaman
2015-12-17 18:49 [gentoo-commits] proj/hardened-refpolicy:next " Jason Zaman
2015-12-17 16:10 ` [gentoo-commits] proj/hardened-refpolicy:master " Jason Zaman
2015-10-26 5:48 Jason Zaman
2015-10-26 5:48 Jason Zaman
2014-09-13 9:38 Sven Vermeulen
2014-09-13 9:38 Sven Vermeulen
2014-08-19 20:07 Sven Vermeulen
2014-08-19 20:07 Sven Vermeulen
2014-06-10 18:17 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-04-21 15:25 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-02-09 10:54 Sven Vermeulen
2014-01-23 20:00 Sven Vermeulen
2014-01-23 20:00 Sven Vermeulen
2014-01-23 20:00 Sven Vermeulen
2013-09-27 13:27 Sven Vermeulen
2013-08-23 17:05 Sven Vermeulen
2013-08-23 16:43 Sven Vermeulen
2013-08-23 8:09 Sven Vermeulen
2013-02-04 19:17 Sven Vermeulen
2012-12-08 12:40 Sven Vermeulen
2012-12-07 17:13 Sven Vermeulen
2012-10-31 18:04 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-10-19 15:06 Sven Vermeulen
2012-07-10 17:22 Sven Vermeulen
2012-07-04 16:34 Sven Vermeulen
2012-06-27 20:41 Sven Vermeulen
2012-05-28 7:22 Sven Vermeulen
2012-05-28 6:44 Sven Vermeulen
2012-05-13 8:51 Sven Vermeulen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1613418564.4ca347319929cb5a24faf7eb587cabda640f28bd.perfinion@gentoo \
--to=perfinion@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox