This patch fixes: - ulogd handling NFLOG log sources - add missing capabilities to the process - allow for reading ngroups_max /proc entries Reproducible: Always
Created attachment 340838 [details, diff] 0001-Ulogd-policy-fixes.patch
Created attachment 340840 [details] emerge --info output
You don't happen to have the errors related to this?
You mean the patch ? No, I do not. I have 9999 policy unmasked and *_LIVE_REPO/*_LIVE_BRANCH env variables for all selinux policy ebuilds. This patch is taken directly from the branch I am using to compile selinux policy ebuilds. This branch is currently based on: 687213ceddfd14ca72f9ec01dd5b26df86fb6b7e - "Installing live ebuilds requires sandbox to write the srcrepo directories" Could you sent me the error messages you get ? pr
No, not the patch... the errors you have if you don't allow NFLOG log sources, the missing capabilities or read access on ngroups_max. Updating SELinux policy, if we ever want to be able to upstream the fixes, requires information about the errors of the applications when it is not allowed. This is to ensure that policy fixes are really necessary and not "just" to remove some denials even though there is no lack of functionality or problems (in which case it might be better to dontaudit it).
(In reply to comment #5) (...) Hi, I have verified it using vanilla gentoo converted to selinux and you are right, I have jumped the gun. The netlink socket permissions are already there, I have not noticed it earlier because I was using older - stable policy. ngroups_max does not seem to have any influence at all, and adding dontaudit rules for it may be a good idea. The only thing that is necessary is the setuid and setgid capability: -allow ulogd_t self:capability { net_admin sys_nice }; +allow ulogd_t self:capability { net_admin sys_nice setuid setgid}; due to the fact that ulogd2 init scripts by default drop privileges to ulogd user (the -u option). Thanks pr
Care to give the error messages you got before granting the setuid/setgid permissions? Also, are they both necessary, or is setuid sufficient?
Hi, sure, I can even give you the relevant source code snippet :) in src/ulogd.c, ebuild is app-admin/ulogd-2.0.0_beta4, change_uid var is set basing on the '-u' command line option few lines earlier. if (change_uid) { ulogd_log(ULOGD_NOTICE, "Changing UID / GID\n"); if (setgid(gid)) { ulogd_log(ULOGD_FATAL, "can't set GID %u\n", gid); warn_and_exit(daemonize); } if (setegid(gid)) { ulogd_log(ULOGD_FATAL, "can't set effective GID %u\n", gid); warn_and_exit(daemonize); } if (initgroups(user, gid)) { ulogd_log(ULOGD_FATAL, "can't set user secondary GID\n"); warn_and_exit(daemonize); } if (setuid(uid)) { ulogd_log(ULOGD_FATAL, "can't set UID %u\n", uid); warn_and_exit(daemonize); } if (seteuid(uid)) { ulogd_log(ULOGD_FATAL, "can't set effective UID %u\n", uid); warn_and_exit(daemonize); } } The log message is: Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245 BTW - a word of comment regarding contradictions in my earlier posts. I am using 9999 policy now with local git repo, but the first version of the patch was created using stable policy and waited ~3 months till I have 'some spare time'. Then I have just applied it and responded with "You mean the patch ? No, I do not." without checking it thoroughly first. pr
thanks, committed to live repo, will be in rev13.
In main tree, ~arch'ed (20130424-r1 release)
Now stable in repo