From 364621e6ec361181a20063a0e1fac790643fe3f9 Mon Sep 17 00:00:00 2001
From: Krzysztof Nowicki <krissn@op.pl>
Date: Thu, 13 Aug 2020 08:44:22 +0200
Subject: [PATCH] Allow use of systemd UNIX sockets created at initrd execution

Systemd uses a number of UNIX sockets for communication (notify
socket [1], journald socket). These sockets are normally created at
start-up after the SELinux policy is loaded, which means that the
kernel socket objects have proper security contexts of the creating
processes.

Unfortunately things look different when the system is started with an
initrd that is also running systemd (e.g. dracut). In such case the
sockets are created in the initrd systemd environment before the
SELinux policy is loaded and therefore the socket object is assigned
the default kernel context (system_u:system_r:kernel_t). When the
initrd systemd transfers control to the main systemd the notify socket
descriptors are passed to the main systemd process [2]. This means
that when the main system is running the sockets will use the default
kernel securint context until they are recreated, which for some
sockets (notify socket) never happens.

Until there is a way to change the context of an already open socket
object all processes, that wish to use systemd sockets need to be
able to send datagrams to system_u:system_r:kernel_t sockets.

Parts of this workaround were earlier hidden behind RedHat-specific
rules, since this distribution is the prime user of systemd+dracut
combo. Since other distros may want to use similar configuration it
makes sense to enable this globally.

[1] sd_notify(3)
[2] https://github.com/systemd/systemd/issues/16714

Signed-off-by: Krzysztof Nowicki <krissn@op.pl>

tmp
---
 policy/modules/kernel/kernel.if  | 18 ++++++++++++++++++
 policy/modules/system/init.te    |  5 +++++
 policy/modules/system/logging.if |  5 ++---
 policy/modules/system/logging.te |  7 ++++---
 4 files changed, 29 insertions(+), 6 deletions(-)

diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index ebd73aca9..18002e67d 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -365,6 +365,24 @@ interface(`kernel_dgram_send',`
 	allow $1 kernel_t:unix_dgram_socket sendto;
 ')
 
+########################################
+## <summary>
+##	Send messages to kernel netlink audit sockets.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`kernel_rw_netlink_audit_sockets',`
+	gen_require(`
+		type kernel_t;
+	')
+
+	allow $1 kernel_t:netlink_audit_socket { rw_netlink_socket_perms };
+')
+
 ########################################
 ## <summary>
 ##	Allows caller to load kernel modules
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4734a9510..2f88c551e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -312,6 +312,8 @@ ifdef(`init_systemd',`
 	kernel_setsched(init_t)
 	kernel_link_key(init_t)
 	kernel_rw_unix_sysctls(init_t)
+	kernel_rw_stream_sockets(init_t)
+	kernel_rw_unix_dgram_sockets(init_t)
 
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
@@ -1028,6 +1030,9 @@ ifdef(`init_systemd',`
 	allow initrc_t systemdunit:service reload;
 	allow initrc_t init_script_file_type:service { stop start status reload };
 
+	# Access to notify socket for services with Type=notify
+	kernel_dgram_send(initrc_t)
+
 	# run systemd misc initializations
 	# in the initrc_t domain, as would be
 	# done in traditional sysvinit/upstart.
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 8a0b2ce0a..10dee6563 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -681,10 +681,9 @@ interface(`logging_send_syslog_msg',`
 		# Allow systemd-journald to check whether the process died
 		allow syslogd_t $1:process signull;
 
-		ifdef(`distro_redhat',`
-			kernel_dgram_send($1)
-		')
+		kernel_dgram_send($1)
 	')
+
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 2f16b24eb..3907809f1 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -501,9 +501,6 @@ auth_use_nsswitch(syslogd_t)
 
 init_use_fds(syslogd_t)
 
-# cjp: this doesnt make sense
-logging_send_syslog_msg(syslogd_t)
-
 miscfiles_read_localization(syslogd_t)
 
 seutil_read_config(syslogd_t)
@@ -525,6 +522,7 @@ ifdef(`init_systemd',`
 	kernel_read_ring_buffer(syslogd_t)
 	kernel_rw_stream_sockets(syslogd_t)
 	kernel_rw_unix_dgram_sockets(syslogd_t)
+	kernel_rw_netlink_audit_sockets(syslogd_t)
 	kernel_use_fds(syslogd_t)
 
 	dev_read_kmsg(syslogd_t)
@@ -544,6 +542,9 @@ ifdef(`init_systemd',`
 	init_read_runtime_symlinks(syslogd_t)
 	init_read_state(syslogd_t)
 
+	# needed for systemd-initrd case when syslog socket is unlabelled
+	logging_send_syslog_msg(syslogd_t)
+
 	systemd_manage_journal_files(syslogd_t)
 
 	udev_read_runtime_files(syslogd_t)