Introduce a new "logging_syslog_can_network" boolean

and make the net_admin capability as well as all corenetwork permissions previously granted to the syslog daemon conditional upon such boolean being true. Signed-off-by: Guido Trentalancia <guido@trentalancia.com> --- policy/modules/system/logging.te | 61 +++++++++++++++++++++++---------------- 1 file changed, 36 insertions(+), 25 deletions(-)
2023-09-06 20:44:54 +02:00 · 2023-09-06 20:44:54 +02:00 · c032204af3
commit c032204af3
parent f3f761c4a8
1 changed files with 36 additions and 25 deletions
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -5,6 +5,14 @@ policy_module(logging)
 # Declarations
 #

+## <desc>
+## <p>
+## Allows syslogd internet domain sockets
+## functionality (dangerous).
+## </p>
+## </desc>
+gen_tunable(logging_syslog_can_network, false)
+
 attribute logfile;

 type auditctl_t;
@ -386,8 +394,7 @@ optional_policy(`
 # chown fsetid for syslog-ng
 # sys_admin for the integrated klog of syslog-ng and metalog
 # sys_nice for rsyslog
-# cjp: why net_admin!
-allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+allow syslogd_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
 dontaudit syslogd_t self:capability { sys_ptrace };
 dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
 # setpgid for metalog
@ -457,29 +464,6 @@ kernel_read_ring_buffer(syslogd_t)
 # /initrd is not umounted before minilog starts
 kernel_dontaudit_search_unlabeled(syslogd_t)

-corenet_all_recvfrom_netlabel(syslogd_t)
-corenet_udp_sendrecv_generic_if(syslogd_t)
-corenet_udp_sendrecv_generic_node(syslogd_t)
-corenet_udp_bind_generic_node(syslogd_t)
-corenet_udp_bind_syslogd_port(syslogd_t)
-# syslog-ng can listen and connect on tcp port 514 (rsh)
-corenet_tcp_sendrecv_generic_if(syslogd_t)
-corenet_tcp_sendrecv_generic_node(syslogd_t)
-corenet_tcp_bind_generic_node(syslogd_t)
-corenet_tcp_bind_rsh_port(syslogd_t)
-corenet_tcp_connect_rsh_port(syslogd_t)
-# Allow users to define additional syslog ports to connect to
-corenet_tcp_bind_syslogd_port(syslogd_t)
-corenet_tcp_connect_syslogd_port(syslogd_t)
-corenet_tcp_connect_postgresql_port(syslogd_t)
-corenet_tcp_connect_mysqld_port(syslogd_t)
-
-# syslog-ng can send or receive logs
-corenet_sendrecv_syslogd_client_packets(syslogd_t)
-corenet_sendrecv_syslogd_server_packets(syslogd_t)
-corenet_sendrecv_postgresql_client_packets(syslogd_t)
-corenet_sendrecv_mysqld_client_packets(syslogd_t)
-
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
 dev_read_urand(syslogd_t)
@ -597,6 +581,33 @@ ifdef(`distro_ubuntu',`
 	')
 ')

+tunable_policy(`logging_syslog_can_network',`
+	allow syslogd_t self:capability { net_admin };
+
+	corenet_all_recvfrom_netlabel(syslogd_t)
+	corenet_udp_sendrecv_generic_if(syslogd_t)
+	corenet_udp_sendrecv_generic_node(syslogd_t)
+	corenet_udp_bind_generic_node(syslogd_t)
+	corenet_udp_bind_syslogd_port(syslogd_t)
+	# syslog-ng can listen and connect on tcp port 514 (rsh)
+	corenet_tcp_sendrecv_generic_if(syslogd_t)
+	corenet_tcp_sendrecv_generic_node(syslogd_t)
+	corenet_tcp_bind_generic_node(syslogd_t)
+	corenet_tcp_bind_rsh_port(syslogd_t)
+	corenet_tcp_connect_rsh_port(syslogd_t)
+	# Allow users to define additional syslog ports to connect to
+	corenet_tcp_bind_syslogd_port(syslogd_t)
+	corenet_tcp_connect_syslogd_port(syslogd_t)
+	corenet_tcp_connect_postgresql_port(syslogd_t)
+	corenet_tcp_connect_mysqld_port(syslogd_t)
+
+	# syslog-ng can send or receive logs
+	corenet_sendrecv_syslogd_client_packets(syslogd_t)
+	corenet_sendrecv_syslogd_server_packets(syslogd_t)
+	corenet_sendrecv_postgresql_client_packets(syslogd_t)
+	corenet_sendrecv_mysqld_client_packets(syslogd_t)
+')
+
 optional_policy(`
 	bind_search_cache(syslogd_t)
 ')