From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Tue, 27 May 2014 09:07:04 -0400 Subject: [refpolicy] [PATCH] Allow kern_unconfined domains to use syslog capability In-Reply-To: <1400862138-4079-1-git-send-email-nicolas.iooss@m4x.org> References: <1400862138-4079-1-git-send-email-nicolas.iooss@m4x.org> Message-ID: <53848DF8.40601@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 05/23/2014 12:22 PM, Nicolas Iooss wrote: > When an unconfined_t root user runs dmesg, the kernel complains with > this message in its logs (when SELinux is in enforcing mode): > > dmesg (16289): Attempt to access syslog with CAP_SYS_ADMIN but no > CAP_SYSLOG (deprecated). > > audit.log contains following AVC: > > avc: denied { syslog } for pid=16289 comm="dmesg" capability=34 > scontext=unconfined_u:unconfined_r:unconfined_t > tcontext=unconfined_u:unconfined_r:unconfined_t tclass=capability2 > > Moreover, policy/modules/kernel/kernel.if defines > kernel_read_ring_buffer interface as: > > allow $1 self:capability2 syslog; > allow $1 kernel_t:system syslog_read; > > As domains with kern_unconfined attribute already have all > kernel_t:system permissions, this patch allows such domains to use > CAP_SYSLOG. > --- > policy/modules/kernel/kernel.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te > index c7cd4e4..f436490 100644 > --- a/policy/modules/kernel/kernel.te > +++ b/policy/modules/kernel/kernel.te > @@ -417,6 +417,7 @@ allow kern_unconfined proc_type:{ dir file lnk_file } *; > > allow kern_unconfined sysctl_type:{ dir file } *; > > +allow kern_unconfined self:capability2 syslog; > allow kern_unconfined kernel_t:system *; > > allow kern_unconfined unlabeled_t:dir_file_class_set *; Unconfined_t's capabilities are currently managed in unconfined.if. That's where this should be fixed. -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com