From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id CFA77158089 for ; Fri, 6 Oct 2023 16:44:40 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 6C8602BC039; Fri, 6 Oct 2023 16:44:37 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 49F8F2BC039 for ; Fri, 6 Oct 2023 16:44:37 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 37AA5335D1E for ; Fri, 6 Oct 2023 16:44:36 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id DB4FD9EA for ; Fri, 6 Oct 2023 16:44:33 +0000 (UTC) From: "Kenton Groombridge" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Kenton Groombridge" Message-ID: <1696606252.634b4ae6e433169248722aa27c12b75c302ddac6.concord@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/logging.if policy/modules/system/systemd.fc policy/modules/system/systemd.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: concord X-VCS-Committer-Name: Kenton Groombridge X-VCS-Revision: 634b4ae6e433169248722aa27c12b75c302ddac6 X-VCS-Branch: master Date: Fri, 6 Oct 2023 16:44:33 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: e3bf2bfe-24b5-457b-bc0b-7d853cd5742c X-Archives-Hash: ed274b7e12a60cf6a13bce9d3c565083 commit: 634b4ae6e433169248722aa27c12b75c302ddac6 Author: Dave Sugar gmail com> AuthorDate: Thu Sep 14 19:44:07 2023 +0000 Commit: Kenton Groombridge gentoo org> CommitDate: Fri Oct 6 15:30:52 2023 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=634b4ae6 separate domain for journalctl during init During system boot, when systemd-journal-catalog-update.service is started, it fails becuase initrc_t doesn't have access to write systemd_journal_t files/dirs. This change is to run journalctl in a different domain during system startup (systemd_journal_init_t) to allow the access necessary to run. × systemd-journal-catalog-update.service - Rebuild Journal Catalog Loaded: loaded (/usr/lib/systemd/system/systemd-journal-catalog-update.service; static) Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT; 10min ago Docs: man:systemd-journald.service(8) man:journald.conf(5) Process: 1626 ExecStart=journalctl --update-catalog (code=exited, status=1/FAILURE) Main PID: 1626 (code=exited, status=1/FAILURE) CPU: 102ms Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog... Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for writing: /var/lib/systemd/catalog/database: Permission denied Sep 13 12:51:28 localhost journalctl[1626]: Failed to write /var/lib/systemd/catalog/database: Permission denied Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog: Permission denied Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Main process exited, code=exited, status=1/FAILURE Sep 13 12:51:28 localhost systemd[1]: systemd-journal-catalog-update.service: Failed with result 'exit-code'. Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal Catalog. node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { add_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { create } for pid=1631 comm="journalctl" name=".#database6ZdcMU" scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied { write } for pid=1631 comm="journalctl" path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:137): avc: denied { setattr } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { rename } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied { unlink } for pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133 scontext=system_u:system_r:initrc_t:s0 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar gmail.com> Signed-off-by: Kenton Groombridge gentoo.org> policy/modules/system/logging.if | 19 +++++++++++++++++++ policy/modules/system/systemd.fc | 1 + policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++++- 3 files changed, 54 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 681385d50..763926dac 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -845,6 +845,25 @@ interface(`logging_watch_runtime_dirs',` allow $1 syslogd_runtime_t:dir watch; ') +######################################## +## +## Connect syslog varlink socket files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_stream_connect_journald_varlink',` + gen_require(` + type syslogd_runtime_t, syslogd_t; + ') + + init_search_run($1) + stream_connect_pattern($1, syslogd_runtime_t, syslogd_runtime_t, syslogd_t) +') + ######################################## ## ## Delete the syslog socket files diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc index 5b3eb7c84..ac64a5d5c 100644 --- a/policy/modules/system/systemd.fc +++ b/policy/modules/system/systemd.fc @@ -3,6 +3,7 @@ /etc/systemd/dont-synthesize-nobody -- gen_context(system_u:object_r:systemd_conf_t,s0) /etc/udev/hwdb\.bin -- gen_context(system_u:object_r:systemd_hwdb_t,s0) +/usr/bin/journalctl -- gen_context(system_u:object_r:systemd_journalctl_exec_t,s0) /usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0) /usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0) /usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index b60d5729d..4f1c4c856 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -150,9 +150,12 @@ type systemd_hwdb_t; files_type(systemd_hwdb_t) type systemd_journal_t; -files_type(systemd_journal_t) logging_log_file(systemd_journal_t) +type systemd_journal_init_t; +type systemd_journalctl_exec_t; +init_system_domain(systemd_journal_init_t, systemd_journalctl_exec_t) + type systemd_locale_t; type systemd_locale_exec_t; init_system_domain(systemd_locale_t, systemd_locale_exec_t) @@ -771,6 +774,36 @@ init_search_runtime(systemd_hw_t) seutil_read_config(systemd_hw_t) seutil_read_file_contexts(systemd_hw_t) +####################################### +# +# journald local policy +# +# During system boot, the service systemd-journal-catalog-update.service +# runs journalctl with the switch --update-catalog which needs manage +# permissions for systemd_journal_t files. Transitioning from initrc_t +# into systemd_journal_init_t for this operation limits write access +# to sysemd_journal_t files to only the systemd_journal_init_t domain. +# + +dontaudit systemd_journal_init_t self:capability net_admin; + +manage_files_pattern(systemd_journal_init_t, systemd_journal_t, systemd_journal_t) + +fs_getattr_cgroup(systemd_journal_init_t) +fs_search_cgroup_dirs(systemd_journal_init_t) + +kernel_getattr_proc(systemd_journal_init_t) +kernel_read_kernel_sysctls(systemd_journal_init_t) +kernel_read_system_state(systemd_journal_init_t) + +init_read_state(systemd_journal_init_t) +init_search_var_lib_dirs(systemd_journal_init_t) + +logging_send_syslog_msg(systemd_journal_init_t) +logging_stream_connect_journald_varlink(systemd_journal_init_t) + +miscfiles_read_localization(systemd_journal_init_t) + ####################################### # # locale local policy