From 9686bf05a760b3d39b18b147ed1a1310a46d2d77 Mon Sep 17 00:00:00 2001
From: Nicolas Iooss <nicolas.iooss@m4x.org>
Date: Sat, 17 Aug 2019 16:03:39 +0200
Subject: [PATCH] ulogd: allow starting on a Debian system

When ulogd is run by systemd on Debian, it logs messages to the journal,
it used a PID file in /run/ulog/ulogd.pid, and logs packets to
/var/log/ulog/syslogemu.log. This last ones triggers a dac_read_search
capability check because the directory is configured as:

    drwxrwx---. ulog adm /var/log/ulog

(root does not have an access to the directory without bypassing the DAC.)

Add a comment describing how to avoid allowing dac_read_search to ulogd_t.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 policy/modules/services/ulogd.fc |  2 ++
 policy/modules/services/ulogd.te | 15 +++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/policy/modules/services/ulogd.fc b/policy/modules/services/ulogd.fc
index b1744d72d..81d582497 100644
--- a/policy/modules/services/ulogd.fc
+++ b/policy/modules/services/ulogd.fc
@@ -2,6 +2,8 @@
 
 /etc/rc\.d/init\.d/ulogd	--	gen_context(system_u:object_r:ulogd_initrc_exec_t,s0)
 
+/run/ulog(/*)		gen_context(system_u:object_r:ulogd_var_run_t,s0)
+
 /usr/bin/ulogd	--	gen_context(system_u:object_r:ulogd_exec_t,s0)
 
 /usr/lib/ulogd(/.*)?	gen_context(system_u:object_r:ulogd_modules_t,s0)
diff --git a/policy/modules/services/ulogd.te b/policy/modules/services/ulogd.te
index 96e184d5f..36fe846bd 100644
--- a/policy/modules/services/ulogd.te
+++ b/policy/modules/services/ulogd.te
@@ -18,6 +18,9 @@ init_script_file(ulogd_initrc_exec_t)
 type ulogd_modules_t;
 files_type(ulogd_modules_t)
 
+type ulogd_var_run_t;
+files_pid_file(ulogd_var_run_t)
+
 type ulogd_var_log_t;
 logging_log_file(ulogd_var_log_t)
 
@@ -26,6 +29,11 @@ logging_log_file(ulogd_var_log_t)
 # Local policy
 #
 
+# If there is an AVC about capability dac_read_search being denied to ulogd_t,
+# it may be caused by root not being able to access to /var/log/ulog according
+# to the directory permissions. Such an issue can be fixed using ACL (for
+# example with: setfacl -m u:root:rwx /var/log/ulog). Please do not add
+# a rule allowing dac_read_search if you encounter this, but fix your system.
 allow ulogd_t self:capability { net_admin setgid setuid sys_nice };
 allow ulogd_t self:process setsched;
 allow ulogd_t self:netlink_netfilter_socket create_socket_perms;
@@ -38,6 +46,8 @@ read_files_pattern(ulogd_t, ulogd_etc_t, ulogd_etc_t)
 list_dirs_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
 mmap_exec_files_pattern(ulogd_t, ulogd_modules_t, ulogd_modules_t)
 
+manage_files_pattern(ulogd_t, ulogd_var_run_t, ulogd_var_run_t)
+
 append_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 create_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
 setattr_files_pattern(ulogd_t, ulogd_var_log_t, ulogd_var_log_t)
@@ -46,6 +56,11 @@ logging_log_filetrans(ulogd_t, ulogd_var_log_t, file)
 files_read_etc_files(ulogd_t)
 files_read_usr_files(ulogd_t)
 
+# For /proc/sys/kernel/ngroups_max
+kernel_read_kernel_sysctls(ulogd_t)
+
+logging_send_syslog_msg(ulogd_t)
+
 miscfiles_read_localization(ulogd_t)
 
 sysnet_dns_name_resolve(ulogd_t)