Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 460108

Summary: app-admin/ulogd - selinux policy patches
Product: Gentoo Linux Reporter: vespian <gentooorg>
Component: SELinuxAssignee: Sven Vermeulen (RETIRED) <swift>
Status: VERIFIED FIXED    
Severity: normal CC: selinux
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: sec-policy r1 upstream
Package list:
Runtime testing required: ---
Attachments: 0001-Ulogd-policy-fixes.patch
emerge --info output

Description vespian 2013-03-03 11:56:59 UTC
This patch fixes:
 - ulogd handling NFLOG log sources
 - add missing capabilities to the process
 - allow for reading ngroups_max /proc entries


Reproducible: Always
Comment 1 vespian 2013-03-03 11:57:36 UTC
Created attachment 340838 [details, diff]
0001-Ulogd-policy-fixes.patch
Comment 2 vespian 2013-03-03 11:59:08 UTC
Created attachment 340840 [details]
emerge --info output
Comment 3 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-07 19:41:04 UTC
You don't happen to have the errors related to this?
Comment 4 vespian 2013-03-07 20:11:17 UTC
You mean the patch ? No, I do not.

I have 9999 policy unmasked and *_LIVE_REPO/*_LIVE_BRANCH env variables for all selinux policy ebuilds. This patch is taken directly from the branch I am using to compile selinux policy ebuilds. This branch is currently based on:

687213ceddfd14ca72f9ec01dd5b26df86fb6b7e - "Installing live ebuilds requires sandbox to write the srcrepo directories"

Could you sent me the error messages you get ?



pr
Comment 5 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-08 18:04:31 UTC
No, not the patch... the errors you have if you don't allow NFLOG log sources, the missing capabilities or read access on ngroups_max.

Updating SELinux policy, if we ever want to be able to upstream the fixes, requires information about the errors of the applications when it is not allowed. This is to ensure that policy fixes are really necessary and not "just" to remove some denials even though there is no lack of functionality or problems (in which case it might be better to dontaudit it).
Comment 6 vespian 2013-03-18 21:47:57 UTC
(In reply to comment #5)
(...)
Hi,


I have verified it using vanilla gentoo converted to selinux and you are right, I have jumped the gun.

The netlink socket permissions are already there, I have not noticed it earlier because I was using older - stable policy. ngroups_max does not seem to have any influence at all, and adding dontaudit rules for it may be a good idea.

The only thing that is necessary is the setuid and setgid capability:
-allow ulogd_t self:capability { net_admin sys_nice };
+allow ulogd_t self:capability { net_admin sys_nice setuid setgid};

due to the fact that ulogd2 init scripts by default drop privileges to ulogd user (the -u option). 



Thanks
pr
Comment 7 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-19 19:18:11 UTC
Care to give the error messages you got before granting the setuid/setgid permissions? Also, are they both necessary, or is setuid sufficient?
Comment 8 vespian 2013-03-19 19:44:38 UTC
Hi,



sure, I can even give you the relevant source code snippet :)

in src/ulogd.c, ebuild is app-admin/ulogd-2.0.0_beta4, change_uid var is set basing on the '-u' command line option few lines earlier.

if (change_uid) {
    ulogd_log(ULOGD_NOTICE, "Changing UID / GID\n");
    if (setgid(gid)) {
        ulogd_log(ULOGD_FATAL, "can't set GID %u\n", gid);
        warn_and_exit(daemonize);
    }
    if (setegid(gid)) {
        ulogd_log(ULOGD_FATAL, "can't set effective GID %u\n",
              gid);
        warn_and_exit(daemonize);
    }
    if (initgroups(user, gid)) {
        ulogd_log(ULOGD_FATAL, "can't set user secondary GID\n");
        warn_and_exit(daemonize);
    }
    if (setuid(uid)) {
        ulogd_log(ULOGD_FATAL, "can't set UID %u\n", uid);
        warn_and_exit(daemonize);
    }
    if (seteuid(uid)) {
        ulogd_log(ULOGD_FATAL, "can't set effective UID %u\n",
             uid);
        warn_and_exit(daemonize);
    }
}

The log message is:

Sun Mar 17 23:53:53 2013 <5> ulogd.c:1184 Changing UID / GID
Sun Mar 17 23:53:53 2013 <8> ulogd.c:1186 can't set GID 245

BTW - a word of comment regarding contradictions in my earlier posts. I am using 9999 policy now with local git repo, but the first version of the patch was created using stable policy and waited ~3 months till I have 'some spare time'. Then I have just applied it and responded with "You mean the patch ? No, I do not." without checking it thoroughly first. 



pr
Comment 9 Sven Vermeulen (RETIRED) gentoo-dev 2013-03-20 08:39:18 UTC
thanks, committed to live repo, will be in rev13.
Comment 10 Sven Vermeulen (RETIRED) gentoo-dev 2013-05-06 18:25:48 UTC
In main tree,  ~arch'ed (20130424-r1 release)
Comment 11 Sven Vermeulen (RETIRED) gentoo-dev 2013-06-16 17:56:42 UTC
Now stable in repo