commit: 634b4ae6e433169248722aa27c12b75c302ddac6
Author: Dave Sugar <dsugar100 <AT> gmail <DOT> com>
AuthorDate: Thu Sep 14 19:44:07 2023 +0000
Commit: Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Fri Oct 6 15:30:52 2023 +0000
URL:
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=634b4ae6
separate domain for journalctl during init
During system boot, when systemd-journal-catalog-update.service is
started, it fails becuase initrc_t doesn't have access to write
systemd_journal_t files/dirs. This change is to run journalctl in a
different domain during system startup (systemd_journal_init_t) to allow
the access necessary to run.
× systemd-journal-catalog-update.service - Rebuild Journal Catalog
Loaded: loaded
(/usr/lib/systemd/system/systemd-journal-catalog-update.service; static)
Active: failed (Result: exit-code) since Wed 2023-09-13 12:51:28 GMT;
10min ago
Docs: man:systemd-journald.service(8)
man:journald.conf(5)
Process: 1626 ExecStart=journalctl --update-catalog (code=exited,
status=1/FAILURE)
Main PID: 1626 (code=exited, status=1/FAILURE)
CPU: 102ms
Sep 13 12:51:28 localhost systemd[1]: Starting Rebuild Journal Catalog...
Sep 13 12:51:28 localhost journalctl[1626]: Failed to open database for
writing: /var/lib/systemd/catalog/database: Permission denied
Sep 13 12:51:28 localhost journalctl[1626]: Failed to write
/var/lib/systemd/catalog/database: Permission denied
Sep 13 12:51:28 localhost journalctl[1626]: Failed to list catalog:
Permission denied
Sep 13 12:51:28 localhost systemd[1]:
systemd-journal-catalog-update.service: Main process exited, code=exited,
status=1/FAILURE
Sep 13 12:51:28 localhost systemd[1]:
systemd-journal-catalog-update.service: Failed with result 'exit-code'.
Sep 13 12:51:28 localhost systemd[1]: Failed to start Rebuild Journal
Catalog.
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
write } for pid=1631 comm="journalctl" name="catalog" dev="dm-10" ino=131106
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
add_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
create } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.328:136): avc: denied {
write } for pid=1631 comm="journalctl"
path="/var/lib/systemd/catalog/.#database6ZdcMU" dev="dm-10" ino=131204
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:137): avc: denied {
setattr } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10"
ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
remove_name } for pid=1631 comm="journalctl" name=".#database6ZdcMU"
dev="dm-10" ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
rename } for pid=1631 comm="journalctl" name=".#database6ZdcMU" dev="dm-10"
ino=131204 scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
node=localhost type=AVC msg=audit(1692308998.330:138): avc: denied {
unlink } for pid=1631 comm="journalctl" name="database" dev="dm-10" ino=131133
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar100 <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>
policy/modules/system/logging.if | 19 +++++++++++++++++++
policy/modules/system/systemd.fc | 1 +
policy/modules/system/systemd.te | 35 ++++++++++++++++++++++++++++++++++-
3 files changed, 54 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 681385d50..763926dac 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -845,6 +845,25 @@ interface(`logging_watch_runtime_dirs',`
allow $1 syslogd_runtime_t:dir watch;
')
+########################################
+## <summary>
+## Connect syslog varlink socket files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_stream_connect_journald_varlink',`
+ gen_require(`
+ type syslogd_runtime_t, syslogd_t;
+ ')
+
+ init_search_run($1)
+ stream_connect_pattern($1, syslogd_runtime_t, syslogd_runtime_t,
syslogd_t)
+')
+
########################################
## <summary>
## Delete the syslog socket files
diff --git a/policy/modules/system/systemd.fc b/policy/modules/system/systemd.fc
index 5b3eb7c84..ac64a5d5c 100644
--- a/policy/modules/system/systemd.fc
+++ b/policy/modules/system/systemd.fc
@@ -3,6 +3,7 @@
/etc/systemd/dont-synthesize-nobody --
gen_context(system_u:object_r:systemd_conf_t,s0)
/etc/udev/hwdb\.bin --
gen_context(system_u:object_r:systemd_hwdb_t,s0)
+/usr/bin/journalctl --
gen_context(system_u:object_r:systemd_journalctl_exec_t,s0)
/usr/bin/systemd-analyze --
gen_context(system_u:object_r:systemd_analyze_exec_t,s0)
/usr/bin/systemd-cgtop --
gen_context(system_u:object_r:systemd_cgtop_exec_t,s0)
/usr/bin/systemd-coredump --
gen_context(system_u:object_r:systemd_coredump_exec_t,s0)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index b60d5729d..4f1c4c856 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -150,9 +150,12 @@ type systemd_hwdb_t;
files_type(systemd_hwdb_t)
type systemd_journal_t;
-files_type(systemd_journal_t)
logging_log_file(systemd_journal_t)
+type systemd_journal_init_t;
+type systemd_journalctl_exec_t;
+init_system_domain(systemd_journal_init_t, systemd_journalctl_exec_t)
+
type systemd_locale_t;
type systemd_locale_exec_t;
init_system_domain(systemd_locale_t, systemd_locale_exec_t)
@@ -771,6 +774,36 @@ init_search_runtime(systemd_hw_t)
seutil_read_config(systemd_hw_t)
seutil_read_file_contexts(systemd_hw_t)
+#######################################
+#
+# journald local policy
+#
+# During system boot, the service systemd-journal-catalog-update.service
+# runs journalctl with the switch --update-catalog which needs manage
+# permissions for systemd_journal_t files. Transitioning from initrc_t
+# into systemd_journal_init_t for this operation limits write access
+# to sysemd_journal_t files to only the systemd_journal_init_t domain.
+#
+
+dontaudit systemd_journal_init_t self:capability net_admin;
+
+manage_files_pattern(systemd_journal_init_t, systemd_journal_t,
systemd_journal_t)
+
+fs_getattr_cgroup(systemd_journal_init_t)
+fs_search_cgroup_dirs(systemd_journal_init_t)
+
+kernel_getattr_proc(systemd_journal_init_t)
+kernel_read_kernel_sysctls(systemd_journal_init_t)
+kernel_read_system_state(systemd_journal_init_t)
+
+init_read_state(systemd_journal_init_t)
+init_search_var_lib_dirs(systemd_journal_init_t)
+
+logging_send_syslog_msg(systemd_journal_init_t)
+logging_stream_connect_journald_varlink(systemd_journal_init_t)
+
+miscfiles_read_localization(systemd_journal_init_t)
+
#######################################
#
# locale local policy
