Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Yes that would be the long term fix. But it would involve journal labelling individual data records. IE Records from audit.log would be audit_log_t, while messages from syslog would be var_log_t, Or some other kind of crazyness. On 04/24/2014 11:03 AM, Eric Paris wrote: > On Thu, 2014-04-24 at 10:59 -0400, Daniel J Walsh wrote: >> I don't disagree. I would think the real solution to this would be to >> not allow sysadm_t to get to SystemHigh, where all of the logging data >> will be stored. > make journalctl a userspace object manager and do selinux checks on if > it can see individual records? so secadm_t running journalctl would see > them and sysadm running journalctl wouldn't see them? > > Sounds elegant. Who is going to code it? *NOT IT!* > >> On 04/24/2014 09:22 AM, Eric Paris wrote: >>> They would be equivalent if and only if journald had CAP_AUDIT_READ. >>> >>> I suggest you take CAP_AUDIT_READ away from journald on systems which >>> need the secadm/sysadmin split (which is a ridiculously stupid split >>> anyway, but who am I to complain?) >>> >>> On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh wrote: Meaning looking at the journal would be equivalent to looking at /var/log/audit/audit.log. On 04/23/2014 11:37 AM, Eric Paris wrote: > On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: >> I guess the problem would be that the sysadm_t would be able to look at >> the journal which would now contain the audit content. > right. so include it in the sysadm_secadm bool > >> On 04/23/2014 10:42 AM, Eric Paris wrote: >>> On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? >>> cap_audit_write is fine. >>> >>> syslogd_t (aka journal) is going to need the new permission >>> cap_audit_read. Also, as steve pointed out, someone may be likely to >>> want to be able to disable that permission easily. >>> >>> -Eric >>> > ___ > Selinux mailing list > seli...@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to > selinux-requ...@tycho.nsa.gov. > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ >>> ___ >>> Selinux mailing list >>> seli...@tycho.nsa.gov >>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov. >>> To get help, send an email containing "help" to >>> selinux-requ...@tycho.nsa.gov. >>> >>> > > ___ > Selinux mailing list > seli...@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Thu, 2014-04-24 at 10:59 -0400, Daniel J Walsh wrote: > I don't disagree. I would think the real solution to this would be to > not allow sysadm_t to get to SystemHigh, where all of the logging data > will be stored. make journalctl a userspace object manager and do selinux checks on if it can see individual records? so secadm_t running journalctl would see them and sysadm running journalctl wouldn't see them? Sounds elegant. Who is going to code it? *NOT IT!* > > On 04/24/2014 09:22 AM, Eric Paris wrote: > > They would be equivalent if and only if journald had CAP_AUDIT_READ. > > > > I suggest you take CAP_AUDIT_READ away from journald on systems which > > need the secadm/sysadmin split (which is a ridiculously stupid split > > anyway, but who am I to complain?) > > > > On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh wrote: > >> Meaning looking at the journal would be equivalent to looking at > >> /var/log/audit/audit.log. > >> > >> > >> On 04/23/2014 11:37 AM, Eric Paris wrote: > >>> On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: > I guess the problem would be that the sysadm_t would be able to look at > the journal which would now contain the audit content. > >>> right. so include it in the sysadm_secadm bool > >>> > On 04/23/2014 10:42 AM, Eric Paris wrote: > > On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: > >> Here are the capabilities we currently give to sysadm_t with > >> sysadm_secadm1.0.0Disabled > >> > >>allow sysadm_t sysadm_t : capability { chown dac_override > >> dac_read_search fowner fsetid kill setgid setuid setpcap > >> linux_immutable > >> net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner > >> sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice > >> sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } > >> ; > >>allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } > >> > >>allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; > >> > >> cap_audit_write might be a problem? > > cap_audit_write is fine. > > > > syslogd_t (aka journal) is going to need the new permission > > cap_audit_read. Also, as steve pointed out, someone may be likely to > > want to be able to disable that permission easily. > > > > -Eric > > > >>> ___ > >>> Selinux mailing list > >>> seli...@tycho.nsa.gov > >>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > >>> To get help, send an email containing "help" to > >>> selinux-requ...@tycho.nsa.gov. > >>> > >>> > >> -- > >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > >> the body of a message to majord...@vger.kernel.org > >> More majordomo info at http://vger.kernel.org/majordomo-info.html > >> Please read the FAQ at http://www.tux.org/lkml/ > > ___ > > Selinux mailing list > > seli...@tycho.nsa.gov > > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > > To get help, send an email containing "help" to > > selinux-requ...@tycho.nsa.gov. > > > > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
I don't disagree. I would think the real solution to this would be to not allow sysadm_t to get to SystemHigh, where all of the logging data will be stored. On 04/24/2014 09:22 AM, Eric Paris wrote: > They would be equivalent if and only if journald had CAP_AUDIT_READ. > > I suggest you take CAP_AUDIT_READ away from journald on systems which > need the secadm/sysadmin split (which is a ridiculously stupid split > anyway, but who am I to complain?) > > On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh wrote: >> Meaning looking at the journal would be equivalent to looking at >> /var/log/audit/audit.log. >> >> >> On 04/23/2014 11:37 AM, Eric Paris wrote: >>> On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. >>> right. so include it in the sysadm_secadm bool >>> On 04/23/2014 10:42 AM, Eric Paris wrote: > On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: >> Here are the capabilities we currently give to sysadm_t with >> sysadm_secadm1.0.0Disabled >> >>allow sysadm_t sysadm_t : capability { chown dac_override >> dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable >> net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner >> sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice >> sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; >>allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } >> >>allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; >> >> cap_audit_write might be a problem? > cap_audit_write is fine. > > syslogd_t (aka journal) is going to need the new permission > cap_audit_read. Also, as steve pointed out, someone may be likely to > want to be able to disable that permission easily. > > -Eric > >>> ___ >>> Selinux mailing list >>> seli...@tycho.nsa.gov >>> To unsubscribe, send email to selinux-le...@tycho.nsa.gov. >>> To get help, send an email containing "help" to >>> selinux-requ...@tycho.nsa.gov. >>> >>> >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in >> the body of a message to majord...@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> Please read the FAQ at http://www.tux.org/lkml/ > ___ > Selinux mailing list > seli...@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
They would be equivalent if and only if journald had CAP_AUDIT_READ. I suggest you take CAP_AUDIT_READ away from journald on systems which need the secadm/sysadmin split (which is a ridiculously stupid split anyway, but who am I to complain?) On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh wrote: > Meaning looking at the journal would be equivalent to looking at > /var/log/audit/audit.log. > > > On 04/23/2014 11:37 AM, Eric Paris wrote: >> On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: >>> I guess the problem would be that the sysadm_t would be able to look at >>> the journal which would now contain the audit content. >> right. so include it in the sysadm_secadm bool >> >>> On 04/23/2014 10:42 AM, Eric Paris wrote: On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: > Here are the capabilities we currently give to sysadm_t with > sysadm_secadm1.0.0Disabled > >allow sysadm_t sysadm_t : capability { chown dac_override > dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable > net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner > sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice > sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; >allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } > >allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; > > cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric >> >> ___ >> Selinux mailing list >> seli...@tycho.nsa.gov >> To unsubscribe, send email to selinux-le...@tycho.nsa.gov. >> To get help, send an email containing "help" to >> selinux-requ...@tycho.nsa.gov. >> >> > > -- > To unsubscribe from this list: send the line "unsubscribe linux-kernel" in > the body of a message to majord...@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html > Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
They would be equivalent if and only if journald had CAP_AUDIT_READ. I suggest you take CAP_AUDIT_READ away from journald on systems which need the secadm/sysadmin split (which is a ridiculously stupid split anyway, but who am I to complain?) On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh dwa...@redhat.com wrote: Meaning looking at the journal would be equivalent to looking at /var/log/audit/audit.log. On 04/23/2014 11:37 AM, Eric Paris wrote: On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. right. so include it in the sysadm_secadm bool On 04/23/2014 10:42 AM, Eric Paris wrote: On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
I don't disagree. I would think the real solution to this would be to not allow sysadm_t to get to SystemHigh, where all of the logging data will be stored. On 04/24/2014 09:22 AM, Eric Paris wrote: They would be equivalent if and only if journald had CAP_AUDIT_READ. I suggest you take CAP_AUDIT_READ away from journald on systems which need the secadm/sysadmin split (which is a ridiculously stupid split anyway, but who am I to complain?) On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh dwa...@redhat.com wrote: Meaning looking at the journal would be equivalent to looking at /var/log/audit/audit.log. On 04/23/2014 11:37 AM, Eric Paris wrote: On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. right. so include it in the sysadm_secadm bool On 04/23/2014 10:42 AM, Eric Paris wrote: On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Thu, 2014-04-24 at 10:59 -0400, Daniel J Walsh wrote: I don't disagree. I would think the real solution to this would be to not allow sysadm_t to get to SystemHigh, where all of the logging data will be stored. make journalctl a userspace object manager and do selinux checks on if it can see individual records? so secadm_t running journalctl would see them and sysadm running journalctl wouldn't see them? Sounds elegant. Who is going to code it? *NOT IT!* On 04/24/2014 09:22 AM, Eric Paris wrote: They would be equivalent if and only if journald had CAP_AUDIT_READ. I suggest you take CAP_AUDIT_READ away from journald on systems which need the secadm/sysadmin split (which is a ridiculously stupid split anyway, but who am I to complain?) On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh dwa...@redhat.com wrote: Meaning looking at the journal would be equivalent to looking at /var/log/audit/audit.log. On 04/23/2014 11:37 AM, Eric Paris wrote: On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. right. so include it in the sysadm_secadm bool On 04/23/2014 10:42 AM, Eric Paris wrote: On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Yes that would be the long term fix. But it would involve journal labelling individual data records. IE Records from audit.log would be audit_log_t, while messages from syslog would be var_log_t, Or some other kind of crazyness. On 04/24/2014 11:03 AM, Eric Paris wrote: On Thu, 2014-04-24 at 10:59 -0400, Daniel J Walsh wrote: I don't disagree. I would think the real solution to this would be to not allow sysadm_t to get to SystemHigh, where all of the logging data will be stored. make journalctl a userspace object manager and do selinux checks on if it can see individual records? so secadm_t running journalctl would see them and sysadm running journalctl wouldn't see them? Sounds elegant. Who is going to code it? *NOT IT!* On 04/24/2014 09:22 AM, Eric Paris wrote: They would be equivalent if and only if journald had CAP_AUDIT_READ. I suggest you take CAP_AUDIT_READ away from journald on systems which need the secadm/sysadmin split (which is a ridiculously stupid split anyway, but who am I to complain?) On Wed, Apr 23, 2014 at 11:52 AM, Daniel J Walsh dwa...@redhat.com wrote: Meaning looking at the journal would be equivalent to looking at /var/log/audit/audit.log. On 04/23/2014 11:37 AM, Eric Paris wrote: On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. right. so include it in the sysadm_secadm bool On 04/23/2014 10:42 AM, Eric Paris wrote: On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Meaning looking at the journal would be equivalent to looking at /var/log/audit/audit.log. On 04/23/2014 11:37 AM, Eric Paris wrote: > On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: >> I guess the problem would be that the sysadm_t would be able to look at >> the journal which would now contain the audit content. > right. so include it in the sysadm_secadm bool > >> On 04/23/2014 10:42 AM, Eric Paris wrote: >>> On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? >>> cap_audit_write is fine. >>> >>> syslogd_t (aka journal) is going to need the new permission >>> cap_audit_read. Also, as steve pointed out, someone may be likely to >>> want to be able to disable that permission easily. >>> >>> -Eric >>> > > ___ > Selinux mailing list > seli...@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. On 04/23/2014 10:42 AM, Eric Paris wrote: > On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: >> Here are the capabilities we currently give to sysadm_t with >> sysadm_secadm1.0.0Disabled >> >>allow sysadm_t sysadm_t : capability { chown dac_override >> dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable >> net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner >> sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice >> sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; >>allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } >> >>allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; >> >> cap_audit_write might be a problem? > cap_audit_write is fine. > > syslogd_t (aka journal) is going to need the new permission > cap_audit_read. Also, as steve pointed out, someone may be likely to > want to be able to disable that permission easily. > > -Eric > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: > I guess the problem would be that the sysadm_t would be able to look at > the journal which would now contain the audit content. right. so include it in the sysadm_secadm bool > > On 04/23/2014 10:42 AM, Eric Paris wrote: > > On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: > >> Here are the capabilities we currently give to sysadm_t with > >> sysadm_secadm1.0.0Disabled > >> > >>allow sysadm_t sysadm_t : capability { chown dac_override > >> dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable > >> net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner > >> sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice > >> sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; > >>allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } > >> > >>allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; > >> > >> cap_audit_write might be a problem? > > cap_audit_write is fine. > > > > syslogd_t (aka journal) is going to need the new permission > > cap_audit_read. Also, as steve pointed out, someone may be likely to > > want to be able to disable that permission easily. > > > > -Eric > > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: > Here are the capabilities we currently give to sysadm_t with > sysadm_secadm1.0.0Disabled > >allow sysadm_t sysadm_t : capability { chown dac_override > dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable > net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner > sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice > sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; >allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } > >allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; > > cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? On 04/22/2014 11:57 PM, Eric Paris wrote: > On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote: >> On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote: >>> This is a patch set Eric Paris and I have been working on to add a >>> restricted capability read-only netlink multicast socket to kernel audit to >>> enable userspace clients such as systemd/journald to receive audit logs, in >>> addition to the bidirectional auditd userspace client. >> Do have the ability to separate of secadm_r and sysadm_r? By allowing this, >> we >> will leak to a sysadmin that he is being audited by the security officer. In >> a >> lot of cases, they are one in the same person. But for others, they are not. >> I >> have a feeling this will cause problems for MLS systems. > Why? This requires CAP_AUDIT_READ. Just don't give CAP_AUDIT_READ to > places you don't want to have read permission. Exactly the same as you > don't give CAP_AUDIT_CONTROL to sysadm_r. (If we are giving > CAP_AUDIT_CONTROL to sysadm_r and you think that any file protections > on /var/log/audit/audit.log are adequate we are fooling ourselves!) > >> Also, shouldn't we have an audit event for every attempt to connect to this >> socket? We really need to know where this information is getting leaked to. > We certainly can. What would you like to see in that event? > > -Eric > > ___ > Selinux mailing list > seli...@tycho.nsa.gov > To unsubscribe, send email to selinux-le...@tycho.nsa.gov. > To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov. > > -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? On 04/22/2014 11:57 PM, Eric Paris wrote: On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote: On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote: This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kernel audit to enable userspace clients such as systemd/journald to receive audit logs, in addition to the bidirectional auditd userspace client. Do have the ability to separate of secadm_r and sysadm_r? By allowing this, we will leak to a sysadmin that he is being audited by the security officer. In a lot of cases, they are one in the same person. But for others, they are not. I have a feeling this will cause problems for MLS systems. Why? This requires CAP_AUDIT_READ. Just don't give CAP_AUDIT_READ to places you don't want to have read permission. Exactly the same as you don't give CAP_AUDIT_CONTROL to sysadm_r. (If we are giving CAP_AUDIT_CONTROL to sysadm_r and you think that any file protections on /var/log/audit/audit.log are adequate we are fooling ourselves!) Also, shouldn't we have an audit event for every attempt to connect to this socket? We really need to know where this information is getting leaked to. We certainly can. What would you like to see in that event? -Eric ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. right. so include it in the sysadm_secadm bool On 04/23/2014 10:42 AM, Eric Paris wrote: On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. On 04/23/2014 10:42 AM, Eric Paris wrote: On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
Meaning looking at the journal would be equivalent to looking at /var/log/audit/audit.log. On 04/23/2014 11:37 AM, Eric Paris wrote: On Wed, 2014-04-23 at 11:36 -0400, Daniel J Walsh wrote: I guess the problem would be that the sysadm_t would be able to look at the journal which would now contain the audit content. right. so include it in the sysadm_secadm bool On 04/23/2014 10:42 AM, Eric Paris wrote: On Wed, 2014-04-23 at 09:40 -0400, Daniel J Walsh wrote: Here are the capabilities we currently give to sysadm_t with sysadm_secadm1.0.0Disabled allow sysadm_t sysadm_t : capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write setfcap } ; allow sysadm_t sysadm_t : capability { setgid setuid sys_chroot } allow sysadm_t sysadm_t : capability2 { syslog block_suspend } ; cap_audit_write might be a problem? cap_audit_write is fine. syslogd_t (aka journal) is going to need the new permission cap_audit_read. Also, as steve pointed out, someone may be likely to want to be able to disable that permission easily. -Eric ___ Selinux mailing list seli...@tycho.nsa.gov To unsubscribe, send email to selinux-le...@tycho.nsa.gov. To get help, send an email containing help to selinux-requ...@tycho.nsa.gov. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote: > On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote: > > This is a patch set Eric Paris and I have been working on to add a > > restricted capability read-only netlink multicast socket to kernel audit to > > enable userspace clients such as systemd/journald to receive audit logs, in > > addition to the bidirectional auditd userspace client. > > Do have the ability to separate of secadm_r and sysadm_r? By allowing this, > we > will leak to a sysadmin that he is being audited by the security officer. In > a > lot of cases, they are one in the same person. But for others, they are not. > I > have a feeling this will cause problems for MLS systems. Why? This requires CAP_AUDIT_READ. Just don't give CAP_AUDIT_READ to places you don't want to have read permission. Exactly the same as you don't give CAP_AUDIT_CONTROL to sysadm_r. (If we are giving CAP_AUDIT_CONTROL to sysadm_r and you think that any file protections on /var/log/audit/audit.log are adequate we are fooling ourselves!) > Also, shouldn't we have an audit event for every attempt to connect to this > socket? We really need to know where this information is getting leaked to. We certainly can. What would you like to see in that event? -Eric -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
From: Richard Guy Briggs Date: Tue, 22 Apr 2014 21:49:29 -0400 > On 14/04/22, David Miller wrote: >> From: Richard Guy Briggs >> Date: Tue, 22 Apr 2014 21:31:52 -0400 >> >> > This is a patch set Eric Paris and I have been working on to add a >> > restricted >> > capability read-only netlink multicast socket to kernel audit to enable >> > userspace clients such as systemd/journald to receive audit logs, in >> > addition >> > to the bidirectional auditd userspace client. >> >> Series applied, thanks Richard. > > Thanks for your patience, David. Can I assume you adopted the 3 audit > patches too, becuase of the dependence? Yes. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote: > This is a patch set Eric Paris and I have been working on to add a > restricted capability read-only netlink multicast socket to kernel audit to > enable userspace clients such as systemd/journald to receive audit logs, in > addition to the bidirectional auditd userspace client. Do have the ability to separate of secadm_r and sysadm_r? By allowing this, we will leak to a sysadmin that he is being audited by the security officer. In a lot of cases, they are one in the same person. But for others, they are not. I have a feeling this will cause problems for MLS systems. Also, shouldn't we have an audit event for every attempt to connect to this socket? We really need to know where this information is getting leaked to. -Steve > Currently, auditd has the CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE capabilities > (but uses CAP_NET_ADMIN). The CAP_AUDIT_READ capability will be added for > use by read-only AUDIT_NLGRP_READLOG multicast group clients to the kaudit > subsystem. This will remove the dependence on CAP_NET_ADMIN for the > multicast read-only socket. > > > Patches 1-3 provide a way for per-protocol bind functions to > signal an error and to be able to clean up after themselves. > > The first netfilter cleanup patch has already been accepted by a netfilter > maintainer, though I don't see it upstream yet, so it is included for > completeness. > > The second patch adds the per-protocol bind function return code to signal > to the netlink code that no further processing should be done and to undo > the work already done. > V1: This rev fixes a bug introduced by flattening the code in the last > posting. *V2: This rev moves the per-protocol bind call above the socket > exposure call and refactors out the unbind procedure. > > The third provides a way per protocol to undo bind actions on DROP. > > > Patches 4-6 implement the audit multicast socket with capability checking. > > The fourth patch adds the bind function capability check to multicast join > requests for audit. > > The fifth patch adds the audit log read multicast group. An assumption has > been made that systemd/journald reside in the initial network namespace. > This could be changed to check the actual network namespace of > systemd/journald should this assumption no longer be true since audit now > supports all network namespaces. This version of the patch now directly > sends the broadcast when the packet is ready rather than waiting until it > passes the queue. > > The sixth checks if any clients actually exist before sending. > > > Since the net tree is busier than the audit tree, conflicts are more likely > and the audit patches depend on the net patches, it is proposed to have the > net tree carry this entire patchset for 3.16. Are the net maintainers ok > with this? > > > https://bugzilla.redhat.com/show_bug.cgi?id=887992 > > First posted: > https://www.redhat.com/archives/linux-audit/2013-January/msg8.html > https://lkml.org/lkml/2013/1/27/279 > > Please find source for a test program at: > http://people.redhat.com/rbriggs/audit-multicast-listen/ > > > Richard Guy Briggs (6): > netlink: simplify nfnetlink_bind > netlink: have netlink per-protocol bind function return an error > code. > netlink: implement unbind to netlink_setsockopt > NETLINK_DROP_MEMBERSHIP > audit: add netlink audit protocol bind to check capabilities on > multicast join > audit: add netlink multicast group for log read > audit: send multicast messages only if there are listeners > > include/linux/netlink.h |3 +- > include/uapi/linux/audit.h |8 > include/uapi/linux/capability.h |7 +++- > kernel/audit.c | 64 ++-- > net/netfilter/nfnetlink.c | 10 ++--- > net/netlink/af_netlink.c| 70 > +-- net/netlink/af_netlink.h| > 6 ++- > security/selinux/include/classmap.h |2 +- > 8 files changed, 135 insertions(+), 35 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On 14/04/22, David Miller wrote: > From: Richard Guy Briggs > Date: Tue, 22 Apr 2014 21:31:52 -0400 > > > This is a patch set Eric Paris and I have been working on to add a > > restricted > > capability read-only netlink multicast socket to kernel audit to enable > > userspace clients such as systemd/journald to receive audit logs, in > > addition > > to the bidirectional auditd userspace client. > > Series applied, thanks Richard. Thanks for your patience, David. Can I assume you adopted the 3 audit patches too, becuase of the dependence? - RGB -- Richard Guy Briggs Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
From: Richard Guy Briggs Date: Tue, 22 Apr 2014 21:31:52 -0400 > This is a patch set Eric Paris and I have been working on to add a restricted > capability read-only netlink multicast socket to kernel audit to enable > userspace clients such as systemd/journald to receive audit logs, in addition > to the bidirectional auditd userspace client. Series applied, thanks Richard. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 0/6][v2] audit: implement multicast socket for journald
This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kernel audit to enable userspace clients such as systemd/journald to receive audit logs, in addition to the bidirectional auditd userspace client. Currently, auditd has the CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE capabilities (but uses CAP_NET_ADMIN). The CAP_AUDIT_READ capability will be added for use by read-only AUDIT_NLGRP_READLOG multicast group clients to the kaudit subsystem. This will remove the dependence on CAP_NET_ADMIN for the multicast read-only socket. Patches 1-3 provide a way for per-protocol bind functions to signal an error and to be able to clean up after themselves. The first netfilter cleanup patch has already been accepted by a netfilter maintainer, though I don't see it upstream yet, so it is included for completeness. The second patch adds the per-protocol bind function return code to signal to the netlink code that no further processing should be done and to undo the work already done. V1: This rev fixes a bug introduced by flattening the code in the last posting. *V2: This rev moves the per-protocol bind call above the socket exposure call and refactors out the unbind procedure. The third provides a way per protocol to undo bind actions on DROP. Patches 4-6 implement the audit multicast socket with capability checking. The fourth patch adds the bind function capability check to multicast join requests for audit. The fifth patch adds the audit log read multicast group. An assumption has been made that systemd/journald reside in the initial network namespace. This could be changed to check the actual network namespace of systemd/journald should this assumption no longer be true since audit now supports all network namespaces. This version of the patch now directly sends the broadcast when the packet is ready rather than waiting until it passes the queue. The sixth checks if any clients actually exist before sending. Since the net tree is busier than the audit tree, conflicts are more likely and the audit patches depend on the net patches, it is proposed to have the net tree carry this entire patchset for 3.16. Are the net maintainers ok with this? https://bugzilla.redhat.com/show_bug.cgi?id=887992 First posted: https://www.redhat.com/archives/linux-audit/2013-January/msg8.html https://lkml.org/lkml/2013/1/27/279 Please find source for a test program at: http://people.redhat.com/rbriggs/audit-multicast-listen/ Richard Guy Briggs (6): netlink: simplify nfnetlink_bind netlink: have netlink per-protocol bind function return an error code. netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP audit: add netlink audit protocol bind to check capabilities on multicast join audit: add netlink multicast group for log read audit: send multicast messages only if there are listeners include/linux/netlink.h |3 +- include/uapi/linux/audit.h |8 include/uapi/linux/capability.h |7 +++- kernel/audit.c | 64 ++-- net/netfilter/nfnetlink.c | 10 ++--- net/netlink/af_netlink.c| 70 +-- net/netlink/af_netlink.h|6 ++- security/selinux/include/classmap.h |2 +- 8 files changed, 135 insertions(+), 35 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
[PATCH 0/6][v2] audit: implement multicast socket for journald
This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kernel audit to enable userspace clients such as systemd/journald to receive audit logs, in addition to the bidirectional auditd userspace client. Currently, auditd has the CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE capabilities (but uses CAP_NET_ADMIN). The CAP_AUDIT_READ capability will be added for use by read-only AUDIT_NLGRP_READLOG multicast group clients to the kaudit subsystem. This will remove the dependence on CAP_NET_ADMIN for the multicast read-only socket. Patches 1-3 provide a way for per-protocol bind functions to signal an error and to be able to clean up after themselves. The first netfilter cleanup patch has already been accepted by a netfilter maintainer, though I don't see it upstream yet, so it is included for completeness. The second patch adds the per-protocol bind function return code to signal to the netlink code that no further processing should be done and to undo the work already done. V1: This rev fixes a bug introduced by flattening the code in the last posting. *V2: This rev moves the per-protocol bind call above the socket exposure call and refactors out the unbind procedure. The third provides a way per protocol to undo bind actions on DROP. Patches 4-6 implement the audit multicast socket with capability checking. The fourth patch adds the bind function capability check to multicast join requests for audit. The fifth patch adds the audit log read multicast group. An assumption has been made that systemd/journald reside in the initial network namespace. This could be changed to check the actual network namespace of systemd/journald should this assumption no longer be true since audit now supports all network namespaces. This version of the patch now directly sends the broadcast when the packet is ready rather than waiting until it passes the queue. The sixth checks if any clients actually exist before sending. Since the net tree is busier than the audit tree, conflicts are more likely and the audit patches depend on the net patches, it is proposed to have the net tree carry this entire patchset for 3.16. Are the net maintainers ok with this? https://bugzilla.redhat.com/show_bug.cgi?id=887992 First posted: https://www.redhat.com/archives/linux-audit/2013-January/msg8.html https://lkml.org/lkml/2013/1/27/279 Please find source for a test program at: http://people.redhat.com/rbriggs/audit-multicast-listen/ Richard Guy Briggs (6): netlink: simplify nfnetlink_bind netlink: have netlink per-protocol bind function return an error code. netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP audit: add netlink audit protocol bind to check capabilities on multicast join audit: add netlink multicast group for log read audit: send multicast messages only if there are listeners include/linux/netlink.h |3 +- include/uapi/linux/audit.h |8 include/uapi/linux/capability.h |7 +++- kernel/audit.c | 64 ++-- net/netfilter/nfnetlink.c | 10 ++--- net/netlink/af_netlink.c| 70 +-- net/netlink/af_netlink.h|6 ++- security/selinux/include/classmap.h |2 +- 8 files changed, 135 insertions(+), 35 deletions(-) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
From: Richard Guy Briggs r...@redhat.com Date: Tue, 22 Apr 2014 21:31:52 -0400 This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kernel audit to enable userspace clients such as systemd/journald to receive audit logs, in addition to the bidirectional auditd userspace client. Series applied, thanks Richard. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On 14/04/22, David Miller wrote: From: Richard Guy Briggs r...@redhat.com Date: Tue, 22 Apr 2014 21:31:52 -0400 This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kernel audit to enable userspace clients such as systemd/journald to receive audit logs, in addition to the bidirectional auditd userspace client. Series applied, thanks Richard. Thanks for your patience, David. Can I assume you adopted the 3 audit patches too, becuase of the dependence? - RGB -- Richard Guy Briggs rbri...@redhat.com Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote: This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kernel audit to enable userspace clients such as systemd/journald to receive audit logs, in addition to the bidirectional auditd userspace client. Do have the ability to separate of secadm_r and sysadm_r? By allowing this, we will leak to a sysadmin that he is being audited by the security officer. In a lot of cases, they are one in the same person. But for others, they are not. I have a feeling this will cause problems for MLS systems. Also, shouldn't we have an audit event for every attempt to connect to this socket? We really need to know where this information is getting leaked to. -Steve Currently, auditd has the CAP_AUDIT_CONTROL and CAP_AUDIT_WRITE capabilities (but uses CAP_NET_ADMIN). The CAP_AUDIT_READ capability will be added for use by read-only AUDIT_NLGRP_READLOG multicast group clients to the kaudit subsystem. This will remove the dependence on CAP_NET_ADMIN for the multicast read-only socket. Patches 1-3 provide a way for per-protocol bind functions to signal an error and to be able to clean up after themselves. The first netfilter cleanup patch has already been accepted by a netfilter maintainer, though I don't see it upstream yet, so it is included for completeness. The second patch adds the per-protocol bind function return code to signal to the netlink code that no further processing should be done and to undo the work already done. V1: This rev fixes a bug introduced by flattening the code in the last posting. *V2: This rev moves the per-protocol bind call above the socket exposure call and refactors out the unbind procedure. The third provides a way per protocol to undo bind actions on DROP. Patches 4-6 implement the audit multicast socket with capability checking. The fourth patch adds the bind function capability check to multicast join requests for audit. The fifth patch adds the audit log read multicast group. An assumption has been made that systemd/journald reside in the initial network namespace. This could be changed to check the actual network namespace of systemd/journald should this assumption no longer be true since audit now supports all network namespaces. This version of the patch now directly sends the broadcast when the packet is ready rather than waiting until it passes the queue. The sixth checks if any clients actually exist before sending. Since the net tree is busier than the audit tree, conflicts are more likely and the audit patches depend on the net patches, it is proposed to have the net tree carry this entire patchset for 3.16. Are the net maintainers ok with this? https://bugzilla.redhat.com/show_bug.cgi?id=887992 First posted: https://www.redhat.com/archives/linux-audit/2013-January/msg8.html https://lkml.org/lkml/2013/1/27/279 Please find source for a test program at: http://people.redhat.com/rbriggs/audit-multicast-listen/ Richard Guy Briggs (6): netlink: simplify nfnetlink_bind netlink: have netlink per-protocol bind function return an error code. netlink: implement unbind to netlink_setsockopt NETLINK_DROP_MEMBERSHIP audit: add netlink audit protocol bind to check capabilities on multicast join audit: add netlink multicast group for log read audit: send multicast messages only if there are listeners include/linux/netlink.h |3 +- include/uapi/linux/audit.h |8 include/uapi/linux/capability.h |7 +++- kernel/audit.c | 64 ++-- net/netfilter/nfnetlink.c | 10 ++--- net/netlink/af_netlink.c| 70 +-- net/netlink/af_netlink.h| 6 ++- security/selinux/include/classmap.h |2 +- 8 files changed, 135 insertions(+), 35 deletions(-) -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
From: Richard Guy Briggs r...@redhat.com Date: Tue, 22 Apr 2014 21:49:29 -0400 On 14/04/22, David Miller wrote: From: Richard Guy Briggs r...@redhat.com Date: Tue, 22 Apr 2014 21:31:52 -0400 This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kernel audit to enable userspace clients such as systemd/journald to receive audit logs, in addition to the bidirectional auditd userspace client. Series applied, thanks Richard. Thanks for your patience, David. Can I assume you adopted the 3 audit patches too, becuase of the dependence? Yes. -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Re: [PATCH 0/6][v2] audit: implement multicast socket for journald
On Tue, 2014-04-22 at 22:25 -0400, Steve Grubb wrote: On Tuesday, April 22, 2014 09:31:52 PM Richard Guy Briggs wrote: This is a patch set Eric Paris and I have been working on to add a restricted capability read-only netlink multicast socket to kernel audit to enable userspace clients such as systemd/journald to receive audit logs, in addition to the bidirectional auditd userspace client. Do have the ability to separate of secadm_r and sysadm_r? By allowing this, we will leak to a sysadmin that he is being audited by the security officer. In a lot of cases, they are one in the same person. But for others, they are not. I have a feeling this will cause problems for MLS systems. Why? This requires CAP_AUDIT_READ. Just don't give CAP_AUDIT_READ to places you don't want to have read permission. Exactly the same as you don't give CAP_AUDIT_CONTROL to sysadm_r. (If we are giving CAP_AUDIT_CONTROL to sysadm_r and you think that any file protections on /var/log/audit/audit.log are adequate we are fooling ourselves!) Also, shouldn't we have an audit event for every attempt to connect to this socket? We really need to know where this information is getting leaked to. We certainly can. What would you like to see in that event? -Eric -- To unsubscribe from this list: send the line unsubscribe linux-kernel in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/