RepoMirrors/selinux-refpolicy
1
0
Fork 0
mirror of https://github.com/SELinuxProject/refpolicy synced 2025-03-30 15:26:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
f5a4ce1d35
selinux-refpolicy/policy
History
Nicolas Iooss f5a4ce1d35
ulogd: adjust policy for Debian 
On a Debian 10 system, I saw denials for ulogd service:

* It uses a pipe with itself:

    type=AVC msg=audit(1567874422.328:13744): avc:  denied  { write }
    for pid=11416 comm="ulogd" path="pipe:[29006]" dev="pipefs"
    ino=29006 scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:ulogd_t tclass=fifo_file permissive=0

* It enumerates users in /run/systemd/dynamic-uid/ when changing to the
  ulog user (which is not dynamic):

    type=AVC msg=audit(1567874512.576:13748): avc:  denied  { read } for
    pid=18290 comm="ulogd" name="dynamic-uid" dev="tmpfs" ino=16527
    scontext=system_u:system_r:ulogd_t
    tcontext=system_u:object_r:init_var_run_t tclass=dir permissive=0

* It connects to the system D-Bus socket in order to call GetDynamicUser:

    type=AVC msg=audit(1567875114.147:13761): avc:  denied  { write }
    for  pid=28135 comm="ulogd" name="system_bus_socket" dev="tmpfs"
    ino=13799 scontext=system_u:system_r:ulogd_t
    tcontext=system_u:object_r:system_dbusd_var_run_t tclass=sock_file
    permissive=1

    type=AVC msg=audit(1567875114.147:13761): avc:  denied  { connectto
    } for  pid=28135 comm="ulogd" path="/run/dbus/system_bus_socket"
    scontext=system_u:system_r:ulogd_t
    tcontext=system_u:system_r:system_dbusd_t tclass=unix_stream_socket
    permissive=1

    type=USER_AVC msg=audit(1567875276.683:13776): pid=432 uid=106
    auid=4294967295 ses=4294967295 subj=system_u:system_r:system_db
    usd_t msg='avc:  denied  { send_msg } for msgtype=method_call
    interface=org.freedesktop.systemd1.Manager member=GetDynamicUsers
    dest=org.freedesktop.systemd1 spid=30953 tpid=1
    scontext=system_u:system_r:ulogd_t tcontext=system_u:system_r:init_t
    tclass=dbus permissive=1  exe="/usr/bin/dbus-daemon" sauid=106
    hostname=? addr=? terminal=?'

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2019-09-08 23:06:34 +02:00
..
flask Remove incorrect comment about capability2:mac_admin. 2019-03-11 20:49:42 -04:00
modules ulogd: adjust policy for Debian 2019-09-08 23:06:34 +02:00
support obj_perm_sets.spt: Add xdp_socket to socket_class_set. 2018-10-23 17:18:43 -04:00
constraints refpolicy: Update for kernel sctp support 2018-03-21 14:14:37 -04:00
context_defaults Fix error in default_user example. 2014-04-28 10:19:22 -04:00
global_booleans Move secure_mode_policyload into selinux module as that is the only place it is used. 2011-09-26 09:53:23 -04:00
global_tunables user_udp_server tunable 2016-08-02 19:44:16 -04:00
mcs refpolicy: Update for kernel sctp support 2018-03-21 14:14:37 -04:00
mls Remove unused translate permission in context userspace class. 2018-10-13 13:39:18 -04:00
policy_capabilities Enable cgroup_seclabel and nnp_nosuid_transition. 2018-01-16 18:52:39 -05:00
users Apply direct_initrc to unconfined_r:unconfined_t 2014-01-16 15:27:18 -05:00