From: cpebenito@tresys.com (Christopher J. PeBenito)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH] Allow kern_unconfined domains to use syslog capability
Date: Tue, 27 May 2014 09:07:04 -0400 [thread overview]
Message-ID: <53848DF8.40601@tresys.com> (raw)
In-Reply-To: <1400862138-4079-1-git-send-email-nicolas.iooss@m4x.org>
On 05/23/2014 12:22 PM, Nicolas Iooss wrote:
> When an unconfined_t root user runs dmesg, the kernel complains with
> this message in its logs (when SELinux is in enforcing mode):
>
> dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no
> CAP_SYSLOG (deprecated).
>
> audit.log contains following AVC:
>
> avc: denied { syslog } for pid=16289 comm="dmesg" capability=34
> scontext=unconfined_u:unconfined_r:unconfined_t
> tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2
>
> Moreover, policy/modules/kernel/kernel.if defines
> kernel_read_ring_buffer interface as:
>
> allow $1 self:capability2 syslog;
> allow $1 kernel_t:system syslog_read;
>
> As domains with kern_unconfined attribute already have all
> kernel_t:system permissions, this patch allows such domains to use
> CAP_SYSLOG.
> ---
> policy/modules/kernel/kernel.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index c7cd4e4..f436490 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -417,6 +417,7 @@ allow kern_unconfined proc_type:{ dir file lnk_file } *;
>
> allow kern_unconfined sysctl_type:{ dir file } *;
>
> +allow kern_unconfined self:capability2 syslog;
> allow kern_unconfined kernel_t:system *;
>
> allow kern_unconfined unlabeled_t:dir_file_class_set *;
Unconfined_t's capabilities are currently managed in unconfined.if. That's where this should be fixed.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
next prev parent reply other threads:[~2014-05-27 13:07 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-23 16:22 [refpolicy] [PATCH] Allow kern_unconfined domains to use syslog capability Nicolas Iooss
2014-05-27 13:07 ` Christopher J. PeBenito [this message]
2014-05-28 22:24 ` Nicolas Iooss
2014-05-29 20:42 ` Nicolas Iooss
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53848DF8.40601@tresys.com \
--to=cpebenito@tresys.com \
--cc=refpolicy@oss.tresys.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.