[refpolicy] [PATCH 0/8] Incomplete systemd-journald policy

[refpolicy] [PATCH 0/8] Incomplete systemd-journald policy

[Nicolas Iooss]

This patchset is the result of "cleaning up" the journald part of Debian
systemd patch and some research about why new allow rules were needed.
It introduces some file labels and basic rules to enable applications to
log to journald.

Please note that this patchset does NOT include:

* complete systemd-as-init support,
* file contexts and policy for systemd units,
* journalctl policy (to query logs from journald).

Moreover my system uses "volatile storage" for journald (and
log-forwarding to syslog-ng).  That's why there is nothing explicitly
related to files in /var/log/journal in this patchset.

The last patch is a small clean-up in a Gentoo-specific part of
logging.te.  This patch may require attention from Gentoo developers
before being accepted.

Last but not the least, the second patch introduces an interface to
search init_var_run_t directories (such as /run/systemd).  This
interface is named init_search_pid_dirs in Fedora policy [1], which
seems too restrictive for the purpose of the directory.  If you have
a better name for this interface, suggestion are welcome.


[1] https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/modules/system/init.if?h=rawhide-base&id=092bb77a046cf29d5361bc95a74ce13e22e23100#n2202


Nicolas Iooss (8):
  Label systemd files in init module
  Introduce init_search_run interface
  Label systemd-journald files and directories
  Support logging with /run/systemd/journal/dev-log
  Label /dev/log symlink at boot time with systemd
  Allow journald to read the kernel ring buffer and to use /dev/kmsg
  Allow journald to access to the state of all processes
  Remove redundant Gentoo-specific
    term_append_unallocated_ttys(syslogd_t)

 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/system/init.fc    |  6 ++++++
 policy/modules/system/init.if    | 19 +++++++++++++++++++
 policy/modules/system/init.te    | 11 ++++++++++-
 policy/modules/system/logging.fc |  8 ++++++++
 policy/modules/system/logging.if | 25 ++++++++++++++++++++++++-
 policy/modules/system/logging.te |  7 ++++++-
 7 files changed, 91 insertions(+), 3 deletions(-)

-- 
2.0.4

[refpolicy] [PATCH 1/8] Label systemd files in init module

[Nicolas Iooss]

---
 policy/modules/system/init.fc | 6 ++++++
 policy/modules/system/init.te | 8 +++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index bc0ffc84ed07..417d3580b3a7 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -25,6 +25,7 @@ ifdef(`distro_gentoo',`
 ifdef(`distro_gentoo', `
 /lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
+/lib/systemd/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 #
 # /sbin
@@ -42,6 +43,8 @@ ifdef(`distro_gentoo', `
 #
 /usr/bin/sepg_ctl	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 
+/usr/lib/systemd/systemd --	gen_context(system_u:object_r:init_exec_t,s0)
+
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 
@@ -51,11 +54,14 @@ ifdef(`distro_gentoo', `
 #
 # /var
 #
+/var/lib/systemd(/.*)?		gen_context(system_u:object_r:init_var_lib_t,s0)
+
 /var/run/initctl	-p	gen_context(system_u:object_r:initctl_t,s0)
 /var/run/utmp		--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/runlevel\.dir		gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/random-seed	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
 /var/run/setmixer_flag	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
+/var/run/systemd(/.*)?		gen_context(system_u:object_r:init_var_run_t,s0)
 
 ifdef(`distro_debian',`
 /var/run/hotkey-setup	--	gen_context(system_u:object_r:initrc_var_run_t,s0)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 29256b862a64..b57637504939 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -40,12 +40,18 @@ kernel_domtrans_to(init_t, init_exec_t)
 role system_r types init_t;
 
 #
-# init_var_run_t is the type for /var/run/shutdown.pid.
+# init_var_run_t is the type for /var/run/shutdown.pid and /var/run/systemd.
 #
 type init_var_run_t;
 files_pid_file(init_var_run_t)
 
 #
+# init_var_lib_t is the type for /var/lib/systemd.
+#
+type init_var_lib_t;
+files_type(init_var_lib_t)
+
+#
 # initctl_t is the type of the named pipe created
 # by init during initialization.  This pipe is used
 # to communicate with init.
-- 
2.0.4

[refpolicy] [PATCH 2/8] Introduce init_search_run interface

[Nicolas Iooss]

---
 policy/modules/system/init.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 15483b04d67f..921796e547e3 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -1594,6 +1594,25 @@ interface(`init_dontaudit_read_script_status_files',`
 	dontaudit $1 initrc_state_t:file read_file_perms;
 ')
 
+######################################
+## <summary>
+##	Search the /run/systemd directory.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`init_search_run',`
+	gen_require(`
+		type init_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 init_var_run_t:dir search_dir_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read init script temporary data.
-- 
2.0.4

[refpolicy] [PATCH 3/8] Label systemd-journald files and directories

[Nicolas Iooss]

---
 policy/modules/system/logging.fc | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 374fb53ee0fd..fc3c0854f5a7 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/log		-l	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -17,6 +18,8 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/usr/lib/systemd/systemd-journald	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -61,12 +64,17 @@ ifdef(`distro_redhat',`
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
 /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
+/var/run/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/run/log/journal(/.*)?	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/rsyslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslog-ng\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/systemd/journal(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal/syslog		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/dev-log	-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
-- 
2.0.4

[refpolicy] [PATCH 3/8] Label systemd-journald files and directories

[Dominick Grift]

On Sat, Aug 23, 2014 at 03:59:37PM +0200, Nicolas Iooss wrote:
> ---
>  policy/modules/system/logging.fc | 8 ++++++++
>  1 file changed, 8 insertions(+)
> 
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index 374fb53ee0fd..fc3c0854f5a7 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -1,4 +1,5 @@
>  /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
> +/dev/log		-l	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>  

The solution I chose for my personal policy is to just keep the links
device_t. In my opinion it keeps things a bit simpler.

I may be overlooking an compelling argument to label the link with
a private type.

-- 
http://subkeys.pgp.net:11371/pks/lookup?search=0x02DFF788&op=index
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140823/9b6f9549/attachment.bin 

[refpolicy] [PATCH 3/8] Label systemd-journald files and directories

[Nicolas Iooss]

2014-08-23 16:29 GMT+02:00 Dominick Grift wrote:
> On Sat, Aug 23, 2014 at 03:59:37PM +0200, Nicolas Iooss wrote:
>> ---
>>  policy/modules/system/logging.fc | 8 ++++++++
>>  1 file changed, 8 insertions(+)
>>
>> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
>> index 374fb53ee0fd..fc3c0854f5a7 100644
>> --- a/policy/modules/system/logging.fc
>> +++ b/policy/modules/system/logging.fc
>> @@ -1,4 +1,5 @@
>>  /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>> +/dev/log		-l	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>>  
> 
> The solution I chose for my personal policy is to just keep the links
> device_t. In my opinion it keeps things a bit simpler.
> 
> I may be overlooking an compelling argument to label the link with
> a private type.

The reasons which explain why I did this are:

(a) refpolicy already supports reading devlog_t symlinks [1].
(b) I believed "device_t" was to be understood as meaning "things which
are not yet precisely labeled in /dev".
(c) I believed only few domains were allowed to read device_t:lnk_files.

Even if (a) is an established fact, (b) is in fact false, as every
symlink in /dev but /dev/log is labeled as device_t. (c) is also false,
as the set of domains returned by "sesearch -A -t device_t -c lnk_file
-p read" includes all of the domains returned by the same search with
devlog_t on my system.

Moreover I agree with your argument "it keeps things a bit simple", as
keeping /dev/log labeled as device_t makes patch 5/8 useless.

So I'll wait for other comments on this patchset and then submit a v2.

Thanks for your review,

Nicolas

[1]
https://github.com/TresysTechnology/refpolicy/blob/4451a6c4976cdb19425b80d66ae30c7a5ea15b8f/policy/modules/system/logging.if#L536

[refpolicy] [PATCH 3/8] Label systemd-journald files and directories

[Dominick Grift]

On Sat, Aug 23, 2014 at 05:41:17PM +0200, Nicolas Iooss wrote:
> 2014-08-23 16:29 GMT+02:00 Dominick Grift wrote:
> > On Sat, Aug 23, 2014 at 03:59:37PM +0200, Nicolas Iooss wrote:
> >> ---
> >>  policy/modules/system/logging.fc | 8 ++++++++
> >>  1 file changed, 8 insertions(+)
> >>
> >> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> >> index 374fb53ee0fd..fc3c0854f5a7 100644
> >> --- a/policy/modules/system/logging.fc
> >> +++ b/policy/modules/system/logging.fc
> >> @@ -1,4 +1,5 @@
> >>  /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
> >> +/dev/log		-l	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
> >>  
> > 
> > The solution I chose for my personal policy is to just keep the links
> > device_t. In my opinion it keeps things a bit simpler.
> > 
> > I may be overlooking an compelling argument to label the link with
> > a private type.
> 
> The reasons which explain why I did this are:
> 
> (a) refpolicy already supports reading devlog_t symlinks [1].
> (b) I believed "device_t" was to be understood as meaning "things which
> are not yet precisely labeled in /dev".
> (c) I believed only few domains were allowed to read device_t:lnk_files.

Yes, in my policy I did something that I am not really proud of

In refpolicy (I believe) anyone associated with domain (which is pretty much any process) can traverse device_t dirs.
However in my policy the devices_search() macro uses a "dirs search" classmapping, which really extends "dir search" with "lnk_file read"

So in practice any domain is allowed to traverse device_t dirs, and is additionally allowed to read device_t symlinks

A bit overkill, and should probably revisit that if only for the sake of efficiency 

(In fact i will add that to my TODO list right now)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20140823/63f52474/attachment.bin 

[refpolicy] [PATCH 3/8] Label systemd-journald files and directories

[Christopher J. PeBenito]

On 8/23/2014 11:41 AM, Nicolas Iooss wrote:
> 2014-08-23 16:29 GMT+02:00 Dominick Grift wrote:
>> On Sat, Aug 23, 2014 at 03:59:37PM +0200, Nicolas Iooss wrote:
>>> ---
>>>  policy/modules/system/logging.fc | 8 ++++++++
>>>  1 file changed, 8 insertions(+)
>>>
>>> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
>>> index 374fb53ee0fd..fc3c0854f5a7 100644
>>> --- a/policy/modules/system/logging.fc
>>> +++ b/policy/modules/system/logging.fc
>>> @@ -1,4 +1,5 @@
>>>  /dev/log		-s	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>>> +/dev/log		-l	gen_context(system_u:object_r:devlog_t,mls_systemhigh)
>>>  
>>
>> The solution I chose for my personal policy is to just keep the links
>> device_t. In my opinion it keeps things a bit simpler.

I agree.

>> I may be overlooking an compelling argument to label the link with
>> a private type.

I can't think of any examples of that for system controlled objects.


> The reasons which explain why I did this are:
> 
> (a) refpolicy already supports reading devlog_t symlinks [1].

It a vestige of the NSA example policy.  Since we don't label the
symlink devlog_t anymore, we should remove the rules.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 3/8] Label systemd-journald files and directories

[Nicolas Iooss]

2014-08-25 14:32 GMT+02:00 Christopher J. PeBenito:
> On 8/23/2014 11:41 AM, Nicolas Iooss wrote:
> > (a) refpolicy already supports reading devlog_t symlinks [1].
>
> It a vestige of the NSA example policy.  Since we don't label the
> symlink devlog_t anymore, we should remove the rules.

Actually it seems that this rule has been added a few days after the
initial SVN import, by commit 5a9522111548 ("add devlog_t symlink to
loggers") [1].  If the arguments which explain this commit from 2005 no
longer apply, I agree we should remove this rule to prevent future
confusion.

Wkr,

Nicolas

[1]
https://github.com/TresysTechnology/refpolicy/commit/5a952211154895a2da79c78ad6ee45b8dca089a2

[refpolicy] [PATCH 4/8] Support logging with /run/systemd/journal/dev-log

[Nicolas Iooss]

In June 2014 systemd moved the socket used by journald to /run.  This
requires two new directory search access for every domain sending syslog
messages:

* /run/systemd/ (handled by init_search_run)
* /run/systemd/journal/ (labeled syslogd_var_run_t)

systemd commit:
http://cgit.freedesktop.org/systemd/systemd/commit/units/systemd-journald-dev-log.socket?id=03ee5c38cb0da193dd08733fb4c0c2809cee6a99
---
 policy/modules/system/logging.if | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 4e94884637dc..21c4f522515b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -530,12 +530,16 @@ interface(`logging_log_filetrans',`
 #
 interface(`logging_send_syslog_msg',`
 	gen_require(`
-		type syslogd_t, devlog_t;
+		type syslogd_t, syslogd_var_run_t, devlog_t;
 	')
 
 	allow $1 devlog_t:lnk_file read_lnk_file_perms;
 	allow $1 devlog_t:sock_file write_sock_file_perms;
 
+	# systemd journal socket is in /run/systemd/journal/dev-log
+	init_search_run($1)
+	allow $1 syslogd_var_run_t:dir search_dir_perms;
+
 	# the type of socket depends on the syslog daemon
 	allow $1 syslogd_t:unix_dgram_socket sendto;
 	allow $1 syslogd_t:unix_stream_socket connectto;
-- 
2.0.4

[refpolicy] [PATCH 5/8] Label /dev/log symlink at boot time with systemd

[Nicolas Iooss]

systemd creates /dev/log as a symlink to /run/systemd/journal/dev-log
when staring the Journal Socket Unit.  Add an interface to logging
module to label this symlink correctly.

Please note this is distinct from what Fedora does in its policy:
https://git.fedorahosted.org/cgit/selinux-policy.git/tree/policy/modules/system/logging.if?h=rawhide-base&id=f85b52d1c6805e9b0a8bd2a4a4332e66e4b52c00#n611

Here is the unit file responsible for creating the symlink:
http://cgit.freedesktop.org/systemd/systemd/tree/units/systemd-journald-dev-log.socket?id=v215
---
 policy/modules/system/init.te    |  3 +++
 policy/modules/system/logging.if | 19 +++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index b57637504939..a46d0837a85b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -123,6 +123,9 @@ files_pid_filetrans(init_t, init_var_run_t, file)
 allow init_t initctl_t:fifo_file manage_fifo_file_perms;
 dev_filetrans(init_t, initctl_t, fifo_file)
 
+# Create /dev/log symlink to /run/systemd/journal/dev-log
+logging_filetrans_devlog_lnk(init_t)
+
 # Modify utmp.
 allow init_t initrc_var_run_t:file { rw_file_perms setattr };
 
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 21c4f522515b..b378fa73304a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1089,3 +1089,22 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
+
+########################################
+## <summary>
+##	Automatic type transition when creating
+##	/dev/log symbolic link.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_filetrans_devlog_lnk',`
+	gen_require(`
+		type devlog_t;
+	')
+
+	dev_filetrans($1, devlog_t, lnk_file, "log")
+')
-- 
2.0.4

[refpolicy] [PATCH 6/8] Allow journald to read the kernel ring buffer and to use /dev/kmsg

[Nicolas Iooss]

audit.log shows that journald needs to read the kernel ring buffer:

    avc:  denied  { syslog_read } for  pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1

Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
---
 policy/modules/kernel/devices.if | 18 ++++++++++++++++++
 policy/modules/system/logging.te |  3 +++
 2 files changed, 21 insertions(+)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index e9ef45641b6c..9744d63ea7ad 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -2198,6 +2198,24 @@ interface(`dev_write_kmsg',`
 
 ########################################
 ## <summary>
+##	Read and write to the kernel messages device
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dev_rw_kmsg',`
+	gen_require(`
+		type device_t, kmsg_device_t;
+	')
+
+	rw_chr_files_pattern($1, device_t, kmsg_device_t)
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the ksm devices.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7121340c71d6..e0d9b5ec7b34 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -406,6 +406,7 @@ kernel_read_messages(syslogd_t)
 kernel_read_vm_sysctls(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+kernel_read_ring_buffer(syslogd_t)
 # /initrd is not umounted before minilog starts
 kernel_dontaudit_search_unlabeled(syslogd_t)
 
@@ -437,6 +438,8 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+# Allow access to /dev/kmsg for journald
+dev_rw_kmsg(syslogd_t)
 
 domain_use_interactive_fds(syslogd_t)
 
-- 
2.0.4

[refpolicy] [PATCH 7/8] Allow journald to access to the state of all processes

[Nicolas Iooss]

When a process sends a syslog message to journald, journald records
information such as command, executable, cgroup, etc.:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589

This needs domain_read_all_domains_state.
---
 policy/modules/system/logging.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index e0d9b5ec7b34..c2fb80d6062e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -442,6 +442,8 @@ dev_read_sysfs(syslogd_t)
 dev_rw_kmsg(syslogd_t)
 
 domain_use_interactive_fds(syslogd_t)
+# Allow access to /proc/ information for journald
+domain_read_all_domains_state(syslogd_t)
 
 files_read_etc_files(syslogd_t)
 files_read_usr_files(syslogd_t)
-- 
2.0.4

[refpolicy] [PATCH 8/8] Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)

[Nicolas Iooss]

Since commit 0fd9dc55, logging.te contains:

  term_write_all_user_ttys(syslogd_t)

As "write" is a superset of "append", this rule is no longer needed:

    term_append_unallocated_ttys(syslogd_t)

While at it, add a comment which explains why
term_dontaudit_setattr_unallocated_ttys is needed.
---
 policy/modules/system/logging.te | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index c2fb80d6062e..6b40bd5a146f 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -482,7 +482,7 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
-	term_append_unallocated_ttys(syslogd_t)
+	# and chown/chgrp/chmod /dev/tty12, which is denied
 	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
 ')
 
-- 
2.0.4