0992763548
Update callers for "pid" to "runtime" interface rename.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-06-28 16:03:45 -04:00
b2f72e833b
Bump module versions for release.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2020-02-29 16:54:39 -05:00
a5dab43a85
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-09-11 06:52:32 -04:00
f5a4ce1d35
ulogd: adjust policy for Debian
...
On a Debian 10 system, I saw denials for ulogd service:
* It uses a pipe with itself:
type=AVC msg=audit(1567874422.328:13744): avc: denied { write }
for pid=11416 comm="ulogd" path="pipe:[29006]" dev="pipefs"
ino=29006 scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=fifo_file permissive=0
* It enumerates users in /run/systemd/dynamic-uid/ when changing to the
ulog user (which is not dynamic):
type=AVC msg=audit(1567874512.576:13748): avc: denied { read } for
pid=18290 comm="ulogd" name="dynamic-uid" dev="tmpfs" ino=16527
scontext=system_u:system_r:ulogd_t
tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=0
* It connects to the system D-Bus socket in order to call GetDynamicUser:
type=AVC msg=audit(1567875114.147:13761): avc: denied { write }
for pid=28135 comm="ulogd" name="system_bus_socket" dev="tmpfs"
ino=13799 scontext=system_u:system_r:ulogd_t
tcontext=system_u:object_r:system_dbusd_var_run_t tclass=sock_file
permissive=1
type=AVC msg=audit(1567875114.147:13761): avc: denied { connectto
} for pid=28135 comm="ulogd" path="/run/dbus/system_bus_socket"
scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket
permissive=1
type=USER_AVC msg=audit(1567875276.683:13776): pid=432 uid=106
auid=4294967295 ses=4294967295 subj=system_u:system_r:system_db
usd_t msg='avc: denied { send_msg } for msgtype=method_call
interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
dest=org.freedesktop.systemd1 spid=30953 tpid=1
scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:init_t
tclass=dbus permissive=1 exe="/usr/bin/dbus-daemon" sauid=106
hostname=? addr=? terminal=?'
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:06:34 +02:00
68b74385a4
various: Module version bump.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-27 00:28:34 -04:00
230262368b
ulogd: Rename ulogd_var_run_t to ulogd_runtime_t.
...
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
2019-08-17 15:17:51 -04:00
ac1659e79f
ulogd: Module version bump.
2019-08-17 15:11:32 -04:00
9686bf05a7
ulogd: allow starting on a Debian system
...
When ulogd is run by systemd on Debian, it logs messages to the journal,
it used a PID file in /run/ulog/ulogd.pid, and logs packets to
/var/log/ulog/syslogemu.log. This last ones triggers a dac_read_search
capability check because the directory is configured as:
drwxrwx---. ulog adm /var/log/ulog
(root does not have an access to the directory without bypassing the DAC.)
Add a comment describing how to avoid allowing dac_read_search to ulogd_t.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 16:03:39 +02:00
d91d41b53a
ulogd: allow creating a netlink-netfilter socket
...
This is used to get the packets logged by the firewall.
I experienced this on a Debian system which uses nftables rules with the
"log" keyword:
type=AVC msg=audit(1565901600.257:348): avc: denied { create } for
pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tcla
ss=netlink_netfilter_socket permissive=1
type=AVC msg=audit(1565901103.154:327): avc: denied { read } for
pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
type=SYSCALL msg=audit(1565901103.154:327): arch=c000003e syscall=45
success=yes exit=148 a0=8 a1=7f651d19d010 a2=249f0 a3=0 items=0 ppid=1
pid=436 auid=4294967295 uid=111 gid=118 euid=111 suid=111 fsuid=111
egid=118 sgid=118 fsgid=118 tty=(none) ses=4294967295 comm="ulogd"
exe="/usr/sbin/ulogd" subj=system_u:system_r:ulogd_t key=(null)
type=PROCTITLE msg=audit(1565901103.154:327):
proctitle=2F7573722F7362696E2F756C6F6764002D2D6461656D6F6E002D2D75696400756C6F67002D2D70696466696C65002F72756E2F756C6F672F756C6F67642E706964
[ ... ]
type=AVC msg=audit(1565901600.241:338): avc: denied { write } for
pid=436 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
type=AVC msg=audit(1565901600.257:348): avc: denied { create } for
pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
type=AVC msg=audit(1565901600.257:349): avc: denied { getattr } for
pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
type=AVC msg=audit(1565901600.257:350): avc: denied { bind } for
pid=8586 comm="ulogd" scontext=system_u:system_r:ulogd_t
tcontext=system_u:system_r:ulogd_t tclass=netlink_netfilter_socket
permissive=1
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-08-17 15:53:32 +02:00
3ab07a0e1e
Move all files out of the old contrib directory.
2018-06-23 10:38:58 -04:00
09248fa0db
Move modules to contrib submodule.
2011-09-09 10:10:03 -04:00
826d014241
Bump module versions for release.
2010-12-13 09:12:22 -05:00
e6e42cd4c9
Module version bump for ulogd.
2010-11-19 11:39:51 -05:00
b9a562446d
Move all ulogd networking into the mysql and postgres optionals.
2010-11-19 11:39:36 -05:00
a00839dcc1
ulogd patch from Dan Walsh
...
"communicates with mysql and postgres via the network"
2010-11-18 13:26:19 -05:00
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
45515556d4
trunk: 10 patches from dan.
2009-06-12 19:44:10 +00:00
a5ef553c2d
trunk: 5 modules from dan.
2009-04-20 19:03:15 +00:00
Chris PeBenito
Nicolas Iooss
Chris PeBenito
Jeremy Solt