journald bypassing MAC checks?
Stephen Smalley
sds at tycho.nsa.gov
Wed Apr 23 17:19:26 UTC 2014
On 04/23/2014 12:10 PM, Florian Weimer wrote:
> systemd-journald has a facility where it accepts file descriptors from
> unprivileged local users and reads the log message from them. This is
> done to bypass size restrictions on UNIX domain socket datagram messages.
>
> The code is here in server_process_native_file:
>
> http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-native.c#n286
>
>
> Does this bypass MAC checks because the journald process has different
> privileges than the user who opened the file descriptor?
SELinux would check access by the user process at open time, and then it
would check access by journald on the fd transfer across local socket
IPC (selinux_file_receive hook), and then it would revalidate that
journald still has access when it reads from the fd.
Then I guess the question is what does journald do with the log message
it reads from the file, e.g. does it write it to the journal and then
who is allowed to read from the journal. In a MLS environment, for
example, I would expect the journal to be unreadable except by
systemhigh processes as it might contain data from any level.
More information about the selinux
mailing list