Remove a vulnerability introduced by a logging interface

which allows to execute log files. This can be potentially used to execute malicious code or scripts previously written in log files. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/admin/logrotate.te | 1 - policy/modules/system/logging.if | 22 ---------------------- 2 files changed, 23 deletions(-)
2023-09-11 09:40:24 +02:00 · 2023-09-11 09:40:24 +02:00 · 5037801893
commit 5037801893
parent 9c4b0300ea
2 changed files with 0 additions and 23 deletions
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@ -120,7 +120,6 @@ init_manage_all_units(logrotate_t)
 logging_manage_all_logs(logrotate_t)
 logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
-logging_exec_all_logs(logrotate_t)

 miscfiles_read_generic_certs(logrotate_t)
 miscfiles_read_localization(logrotate_t)
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@ -1098,28 +1098,6 @@ interface(`logging_watch_all_logs',`
 	allow $1 logfile:file watch;
 ')

-########################################
-## <summary>
-##	Execute all log files in the caller domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-#
-# cjp: not sure why this is needed.  This was added
-# because of logrotate.
-interface(`logging_exec_all_logs',`
-	gen_require(`
-		attribute logfile;
-	')
-
-	files_search_var($1)
-	allow $1 logfile:dir list_dir_perms;
-	can_exec($1, logfile)
-')
-
 ########################################
 ## <summary>
 ##	read/write to all log files.