[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[Guido Trentalancia]

This patch adds some permissions (through interface calls) needed
by the sysadm role (in particular logging permissions).

diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
--- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
+++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
@@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
 ubac_fd_exempt(sysadm_t)
 
 init_exec(sysadm_t)
+init_stream_connect(sysadm_t)
+
+logging_send_audit_msgs(sysadm_t)
+logging_set_tty_audit(sysadm_t)
 
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)

[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[Christopher J. PeBenito]

On 02/16/11 01:07, Guido Trentalancia wrote:
> This patch adds some permissions (through interface calls) needed
> by the sysadm role (in particular logging permissions).
> 
> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>  ubac_fd_exempt(sysadm_t)
>  
>  init_exec(sysadm_t)
> +init_stream_connect(sysadm_t)

Is this on an upstart system?  If so these two rules should probably
turn into init_telinit() and also that interface updated to handle
stream sockets.

> +logging_send_audit_msgs(sysadm_t)

Why is this necessary?

> +logging_set_tty_audit(sysadm_t)
>  
>  # Add/remove user home directories
>  userdom_manage_user_home_dirs(sysadm_t)

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[Guido Trentalancia]

On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
> On 02/16/11 01:07, Guido Trentalancia wrote:
> > This patch adds some permissions (through interface calls) needed
> > by the sysadm role (in particular logging permissions).
> > 
> > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> > --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
> > +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
> > @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
> >  ubac_fd_exempt(sysadm_t)
> >  
> >  init_exec(sysadm_t)
> > +init_stream_connect(sysadm_t)
> 
> Is this on an upstart system?  If so these two rules should probably
> turn into init_telinit() and also that interface updated to handle
> stream sockets.

I confirm it's an upstart system. At the moment I can't check about the
interface that you suggest to use. If it is equivalent, then that's
fine. Is it a way to compact things ?

Do you think we should use the upstart boolean here ?

> > +logging_send_audit_msgs(sysadm_t)
> 
> Why is this necessary?

I am not sure. If I can get some more insight on this I will let you
know later on or tomorrow.

> > +logging_set_tty_audit(sysadm_t)
> >  
> >  # Add/remove user home directories
> >  userdom_manage_user_home_dirs(sysadm_t)

Regards,

Guido

[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[Christopher J. PeBenito]

On 02/23/11 14:28, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>> This patch adds some permissions (through interface calls) needed
>>> by the sysadm role (in particular logging permissions).
>>>
>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>>  ubac_fd_exempt(sysadm_t)
>>>  
>>>  init_exec(sysadm_t)
>>> +init_stream_connect(sysadm_t)
>>
>> Is this on an upstart system?  If so these two rules should probably
>> turn into init_telinit() and also that interface updated to handle
>> stream sockets.
> 
> I confirm it's an upstart system. At the moment I can't check about the
> interface that you suggest to use. If it is equivalent, then that's
> fine. Is it a way to compact things ?

Its not completely identical, as init_telinit() uses datagram sockets,
and this has stream sockets.  But init_telinit() may need to be updated
if upstart changed its socket type.

> Do you think we should use the upstart boolean here ?

No, its in the init_telinit() interface.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[Guido Trentalancia]

Hello Christopher !

Finally I am getting back on this...

On Wed, 23/02/2011 at 20.28 +0100, Guido Trentalancia wrote:
> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
> > On 02/16/11 01:07, Guido Trentalancia wrote:
> > > This patch adds some permissions (through interface calls) needed
> > > by the sysadm role (in particular logging permissions).
> > > 
> > > diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> > > --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
> > > +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
> > > @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
> > >  ubac_fd_exempt(sysadm_t)
> > >  
> > >  init_exec(sysadm_t)
> > > +init_stream_connect(sysadm_t)
> > 
> > Is this on an upstart system?  If so these two rules should probably
> > turn into init_telinit() and also that interface updated to handle
> > stream sockets.
> 
> I confirm it's an upstart system. At the moment I can't check about the
> interface that you suggest to use. If it is equivalent, then that's
> fine. Is it a way to compact things ?
> 
> Do you think we should use the upstart boolean here ?
> 
> > > +logging_send_audit_msgs(sysadm_t)
> > 
> > Why is this necessary?
> 
> I am not sure. If I can get some more insight on this I will let you
> know later on or tomorrow.
> 
> > > +logging_set_tty_audit(sysadm_t)
> > >  
> > >  # Add/remove user home directories
> > >  userdom_manage_user_home_dirs(sysadm_t)

I found the following logs about the logging calls:

type=AVC msg=audit(1295734084.283:24): avc:  denied  { create } for  pid=2677 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1295734079.261:20): avc:  denied  { create } for  pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1295734079.536:21): avc:  denied  { create } for  pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1295736796.387:81): avc:  denied  { nlmsg_relay } for  pid=2821 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1294619138.946:19637): avc:  denied  { create } for  pid=5744 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
type=AVC msg=audit(1294683721.351:42): avc:  denied  { write } for  pid=2670 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket

>From the sysadm_t context, I bet this is something interactive from the
console. And I told you already that there are a few problems from the
console. It needs to be checked carefully as soon as you have finished
to evaluate and commit the patches that I have already submitted.

Regards,

Guido

[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[Guido Trentalancia]

On Tue, 01/03/2011 at 14.16 -0500, Christopher J. PeBenito wrote:
> On 02/23/11 14:28, Guido Trentalancia wrote:
> > On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
> >> On 02/16/11 01:07, Guido Trentalancia wrote:
> >>> This patch adds some permissions (through interface calls) needed
> >>> by the sysadm role (in particular logging permissions).
> >>>
> >>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
> >>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
> >>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
> >>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
> >>>  ubac_fd_exempt(sysadm_t)
> >>>  
> >>>  init_exec(sysadm_t)
> >>> +init_stream_connect(sysadm_t)
> >>
> >> Is this on an upstart system?  If so these two rules should probably
> >> turn into init_telinit() and also that interface updated to handle
> >> stream sockets.
> > 
> > I confirm it's an upstart system. At the moment I can't check about the
> > interface that you suggest to use. If it is equivalent, then that's
> > fine. Is it a way to compact things ?
> 
> Its not completely identical, as init_telinit() uses datagram sockets,
> and this has stream sockets.  But init_telinit() may need to be updated
> if upstart changed its socket type.
> 
> > Do you think we should use the upstart boolean here ?
> 
> No, its in the init_telinit() interface.

That's fine to me, good idea ! As soon as you commit, I will test.

Regards,

Guido

[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 03/01/2011 03:02 PM, Guido Trentalancia wrote:
> Hello Christopher !
> 
> Finally I am getting back on this...
> 
> On Wed, 23/02/2011 at 20.28 +0100, Guido Trentalancia wrote:
>> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>>> This patch adds some permissions (through interface calls) needed
>>>> by the sysadm role (in particular logging permissions).
>>>>
>>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
>>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
>>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>>>  ubac_fd_exempt(sysadm_t)
>>>>  
>>>>  init_exec(sysadm_t)
>>>> +init_stream_connect(sysadm_t)
>>>
>>> Is this on an upstart system?  If so these two rules should probably
>>> turn into init_telinit() and also that interface updated to handle
>>> stream sockets.
>>
>> I confirm it's an upstart system. At the moment I can't check about the
>> interface that you suggest to use. If it is equivalent, then that's
>> fine. Is it a way to compact things ?
>>
>> Do you think we should use the upstart boolean here ?
>>
>>>> +logging_send_audit_msgs(sysadm_t)
>>>
>>> Why is this necessary?
>>
>> I am not sure. If I can get some more insight on this I will let you
>> know later on or tomorrow.
>>
>>>> +logging_set_tty_audit(sysadm_t)
>>>>  
>>>>  # Add/remove user home directories
>>>>  userdom_manage_user_home_dirs(sysadm_t)
> 
> I found the following logs about the logging calls:
> 
> type=AVC msg=audit(1295734084.283:24): avc:  denied  { create } for  pid=2677 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295734079.261:20): avc:  denied  { create } for  pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295734079.536:21): avc:  denied  { create } for  pid=2765 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1295736796.387:81): avc:  denied  { nlmsg_relay } for  pid=2821 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1294619138.946:19637): avc:  denied  { create } for  pid=5744 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> type=AVC msg=audit(1294683721.351:42): avc:  denied  { write } for  pid=2670 comm="bash" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tcontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023 tclass=netlink_audit_socket
> 
>>From the sysadm_t context, I bet this is something interactive from the
> console. And I told you already that there are a few problems from the
> console. It needs to be checked carefully as soon as you have finished
> to evaluate and commit the patches that I have already submitted.
> 
> Regards,
> 
> Guido
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
bash has builtin audit logging.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk1tU10ACgkQrlYvE4MpobMVzQCdGJSFxMEHq9vHvROwxS1JBSwP
isMAn24kv49S3agafRGkJCP09Jn4cPi0
=hWTl
-----END PGP SIGNATURE-----

[refpolicy] [PATCH 9/34]: patch for logging in the sysadm role

[Christopher J. PeBenito]

On 03/01/11 15:07, Guido Trentalancia wrote:
> On Tue, 01/03/2011 at 14.16 -0500, Christopher J. PeBenito wrote:
>> On 02/23/11 14:28, Guido Trentalancia wrote:
>>> On Wed, 23/02/2011 at 09.19 -0500, Christopher J. PeBenito wrote:
>>>> On 02/16/11 01:07, Guido Trentalancia wrote:
>>>>> This patch adds some permissions (through interface calls) needed
>>>>> by the sysadm role (in particular logging permissions).
>>>>>
>>>>> diff -pruN refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te
>>>>> --- refpolicy-git-15022011-new-before-modification/policy/modules/roles/sysadm.te	2011-01-08 19:07:21.214736932 +0100
>>>>> +++ refpolicy-git-15022011-new-modified/policy/modules/roles/sysadm.te	2011-02-15 23:10:39.681408593 +0100
>>>>> @@ -34,6 +34,10 @@ ubac_file_exempt(sysadm_t)
>>>>>  ubac_fd_exempt(sysadm_t)
>>>>>  
>>>>>  init_exec(sysadm_t)
>>>>> +init_stream_connect(sysadm_t)
>>>>
>>>> Is this on an upstart system?  If so these two rules should probably
>>>> turn into init_telinit() and also that interface updated to handle
>>>> stream sockets.
>>>
>>> I confirm it's an upstart system. At the moment I can't check about the
>>> interface that you suggest to use. If it is equivalent, then that's
>>> fine. Is it a way to compact things ?
>>
>> Its not completely identical, as init_telinit() uses datagram sockets,
>> and this has stream sockets.  But init_telinit() may need to be updated
>> if upstart changed its socket type.
>>
>>> Do you think we should use the upstart boolean here ?
>>
>> No, its in the init_telinit() interface.
> 
> That's fine to me, good idea ! As soon as you commit, I will test.

I think you misunderstand.  I'm not going to commit it until you can
confirm this is telinit (which also happens when you run shutdown).

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com