selinux-refpolicy/policy/modules/services/ulogd.te

89 lines
2.4 KiB
Plaintext
Raw Normal View History

policy_module(ulogd, 1.6.0)
########################################
#
# Declarations
#
type ulogd_t;
type ulogd_exec_t;
init_daemon_domain(ulogd_t, ulogd_exec_t)
type ulogd_etc_t;
files_config_file(ulogd_etc_t)
type ulogd_initrc_exec_t;
init_script_file(ulogd_initrc_exec_t)
type ulogd_modules_t;
files_type(ulogd_modules_t)
type ulogd_runtime_t;
files_pid_file(ulogd_runtime_t)
type ulogd_var_log_t;
logging_log_file(ulogd_var_log_t)
########################################
#
# Local policy
#
# If there is an AVC about capability dac_read_search being denied to ulogd_t,
# it may be caused by root not being able to access to /var/log/ulog according
# to the directory permissions. Such an issue can be fixed using ACL (for
# example with: setfacl -m u:root:rwx /var/log/ulog). Please do not add
# a rule allowing dac_read_search if you encounter this, but fix your system.
allow ulogd_t self:capability { net_admin setgid setuid sys_nice };
allow ulogd_t self:process setsched;
ulogd: adjust policy for Debian On a Debian 10 system, I saw denials for ulogd service: * It uses a pipe with itself: type=AVC msg=audit(1567874422.328:13744): avc: denied { write } for pid=11416 comm="ulogd" path="pipe:[29006]" dev="pipefs" ino=29006 scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=fifo_file permissive=0 * It enumerates users in /run/systemd/dynamic-uid/ when changing to the ulog user (which is not dynamic): type=AVC msg=audit(1567874512.576:13748): avc: denied { read } for pid=18290 comm="ulogd" name="dynamic-uid" dev="tmpfs" ino=16527 scontext=system_u:system_r:ulogd_t tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=0 * It connects to the system D-Bus socket in order to call GetDynamicUser: type=AVC msg=audit(1567875114.147:13761): avc: denied { write } for pid=28135 comm="ulogd" name="system_bus_socket" dev="tmpfs" ino=13799 scontext=system_u:system_r:ulogd_t tcontext=system_u:object_r:system_dbusd_var_run_t tclass=sock_file permissive=1 type=AVC msg=audit(1567875114.147:13761): avc: denied { connectto } for pid=28135 comm="ulogd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket permissive=1 type=USER_AVC msg=audit(1567875276.683:13776): pid=432 uid=106 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_db usd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=30953 tpid=1 scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:init_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 21:06:34 +00:00
allow ulogd_t self:fifo_file rw_fifo_file_perms;
ulogd: allow creating a netlink-netfilter socket This is used to get the packets logged by the firewall. I experienced this on a Debian system which uses nftables rules with the "log" keyword: type=AVC msg=audit(1565901600.257:348): avc: denied { create } for pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tcla ss=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1565901103.154:327): avc: denied { read } for pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 type=SYSCALL msg=audit(1565901103.154:327): arch=c000003e syscall=45 success=yes exit=148 a0=8 a1=7f651d19d010 a2=249f0 a3=0 items=0 ppid=1 pid=436 auid=4294967295 uid=111 gid=118 euid=111 suid=111 fsuid=111 egid=118 sgid=118 fsgid=118 tty=(none) ses=4294967295 comm="ulogd" exe="/usr/sbin/ulogd" subj=system_u:system_r:ulogd_t key=(null) type=PROCTITLE msg=audit(1565901103.154:327): proctitle=2F7573722F7362696E2F756C6F6764002D2D6461656D6F6E002D2D75696400756C6F67002D2D70696466696C65002F72756E2F756C6F672F756C6F67642E706964 [ ... ] type=AVC msg=audit(1565901600.241:338): avc: denied { write } for pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1565901600.257:348): avc: denied { create } for pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1565901600.257:349): avc: denied { getattr } for pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 type=AVC msg=audit(1565901600.257:350): avc: denied { bind } for pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket permissive=1 Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 13:53:32 +00:00
allow ulogd_t self:netlink_netfilter_socket create_socket_perms;
allow ulogd_t self:netlink_nflog_socket create_socket_perms;
allow ulogd_t self:netlink_socket create_socket_perms;
allow ulogd_t self:tcp_socket create_stream_socket_perms;
read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
mmap_exec_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
manage_files_pattern(ulogd_t, ulogd_runtime_t, ulogd_runtime_t)
append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
files_read_etc_files(ulogd_t)
files_read_usr_files(ulogd_t)
# For /proc/sys/kernel/ngroups_max
kernel_read_kernel_sysctls(ulogd_t)
logging_send_syslog_msg(ulogd_t)
miscfiles_read_localization(ulogd_t)
sysnet_dns_name_resolve(ulogd_t)
ulogd: adjust policy for Debian On a Debian 10 system, I saw denials for ulogd service: * It uses a pipe with itself: type=AVC msg=audit(1567874422.328:13744): avc: denied { write } for pid=11416 comm="ulogd" path="pipe:[29006]" dev="pipefs" ino=29006 scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:ulogd_t tclass=fifo_file permissive=0 * It enumerates users in /run/systemd/dynamic-uid/ when changing to the ulog user (which is not dynamic): type=AVC msg=audit(1567874512.576:13748): avc: denied { read } for pid=18290 comm="ulogd" name="dynamic-uid" dev="tmpfs" ino=16527 scontext=system_u:system_r:ulogd_t tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=0 * It connects to the system D-Bus socket in order to call GetDynamicUser: type=AVC msg=audit(1567875114.147:13761): avc: denied { write } for pid=28135 comm="ulogd" name="system_bus_socket" dev="tmpfs" ino=13799 scontext=system_u:system_r:ulogd_t tcontext=system_u:object_r:system_dbusd_var_run_t tclass=sock_file permissive=1 type=AVC msg=audit(1567875114.147:13761): avc: denied { connectto } for pid=28135 comm="ulogd" path="/run/dbus/system_bus_socket" scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket permissive=1 type=USER_AVC msg=audit(1567875276.683:13776): pid=432 uid=106 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_db usd_t msg='avc: denied { send_msg } for msgtype=method_call interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers dest=org.freedesktop.systemd1 spid=30953 tpid=1 scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:init_t tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=106 hostname=? addr=? terminal=?' Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 21:06:34 +00:00
ifdef(`init_systemd', `
# For /run/systemd/dynamic-uid/
init_list_pids(ulogd_t)
optional_policy(`
dbus_system_bus_client(ulogd_t)
# For GetDynamicUser() of org.freedesktop.systemd1.Manager
init_dbus_chat(ulogd_t)
')
')
optional_policy(`
mysql_stream_connect(ulogd_t)
mysql_tcp_connect(ulogd_t)
')
optional_policy(`
postgresql_stream_connect(ulogd_t)
postgresql_tcp_connect(ulogd_t)
')