Re: journald bypassing MAC checks?
On 04/23/2014 07:19 PM, Stephen Smalley wrote:
Then I guess the question is what does journald do with the log
message
it reads from the file, e.g. does it write it to the journal and then
who is allowed to read from the journal. In a MLS environment, for
example, I would expect the journal to be unreadable except by
systemhigh processes as it might contain data from any level.
The log message is written to the journal (a file under
/var/log/journal), from where it can be retrieved by the user who
submitted the FD under certain circumstances. The journal log file has
an ACL which grants read permissions to the user, assuming that the
message was routed to the user's UID (which depends on journald
configuration).
However, with Fedora's targeted policy, this might not work because
journald is likely not allowed to read the file.
--
Florian Weimer / Red Hat Product Security Team