[Dev] smack setup incomplete, systemd-journal fails

Schaufler, Casey casey.schaufler at intel.com
Mon Dec 23 15:34:24 GMT 2013


> -----Original Message-----
> From: Łukasz Stelmach [mailto:l.stelmach at samsung.com]
> Sent: Monday, December 23, 2013 6:07 AM
> To: Schaufler, Casey
> Cc: dev at lists.tizen.org
> Subject: Re: [Dev] smack setup incomplete, systemd-journal fails
> 
> It was <2013-12-18 śro 20:31>, when Schaufler, Casey wrote:
> >> -----Original Message-----
> >> From: dev-bounces at lists.tizen.org
> >> [mailto:dev-bounces at lists.tizen.org] On Behalf Of Lukasz Stelmach
> >> Sent: Wednesday, December 18, 2013 9:52 AM
> >> To: dev at lists.tizen.org
> >> Subject: [Dev] smack setup incomplete, systemd-journal fails
> >>
> >> Hi,
> >>
> >> I've got quite a recent RD-PQ image: tizen_20131217.8. There is a
> >> problem with systemd-journald failing to start because
> >
> > Where did you get this image? What are you running it on?
> >
> >>
> >> + "Failed to open /dev/kmsg, ignoring: Permission denied"
> >
> > This looks like you don't have the systemd rules file
> > 55-udev-default-smack-rules. This might indicate that the images do
> > not have a current version of systemd. A temporary workaround is:
> >
> > 	chsmack -a '*' /dev/kmsg
> 
> Not that simple :-D The problem is in smack_syslog() from smack_lsm.c.

Well, I won't say that's *the* problem, but certainly is *a* problem.

 
> With the following patch applied:
> 
> --8<---------------cut here---------------start------------->8---
> diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index
> 3f01cf5..952e8cd 100644
> --- a/security/smack/smack_lsm.c
> +++ b/security/smack/smack_lsm.c
> @@ -226,18 +226,20 @@ static int smack_ptrace_traceme(struct task_struct
> *ptp)  static int smack_syslog(int typefrom_file)  {
>  	int rc = 0;
> +	struct smk_audit_info ad;
>  	struct smack_known *skp = smk_of_current();
> 
>  	if (smack_privileged(CAP_MAC_OVERRIDE))
>  		return 0;
> 
> -	 if (skp != &smack_known_floor)
> +	if (skp != &smack_known_floor)
>  		rc = -EACCES;

This check dates back to the first Smack patches and is based on assumptions that have proven incorrect.

> 
> +	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NONE);
> +	smack_log(skp->smk_known, "", 0, rc, &ad);
>  	return rc;
>  }
> 
> -
>  /*
>   * Superblock Hooks.
>   */
> --8<---------------cut here---------------end--------------->8---
> 
> and console messages:
> 
> --8<---------------cut here---------------start------------->8---
> [    5.542679] type=1400 audit(946697015.045:2): lsm=SMACK
> fn=smack_syslog action=denied subject="System" object="" requested=
> pid=1259 comm="systemd-journal"
> Failed to open /dev/kmsg, ignoring: Permission denied [...] root:~> systemctl
> status systemd-journald.service systemd-journald.service - Journal Service
>    Loaded: loaded (/usr/lib/systemd/system/systemd-journald.service; static)
>    Active: active (running) since Fri 1999-12-31 19:23:34 PST; 10min ago
>      Docs: man:systemd-journald.service(8)
>            man:journald.conf(5)
>  Main PID: 1259 (systemd-journal)
>    Status: "Processing requests..."
>    CGroup: /system.slice/systemd-journald.service
>            └─1259 /usr/lib/systemd/systemd-journald
> 
> [...]
> --8<---------------cut here---------------end--------------->8---
> 
> 
> The cause is more than obvious. However, the solution (at least to me) is not.

A small matter of programming. :-)

Create a global smack_syslog_label.

Initialize smack_syslog_label to the star ("*") label, or the floor ("_") label if you're a stickler for backward compatibility.

Create a smackfs interface "syslog" to get and set the value of smack_syslog_label.

I will work on this today.

> With systemd-journald running with label "System" and not "_" and without
> CAP_MAC_OVERRIDE it gets naked in smack_syslog. We need some kind of a
> solution here.
> 
> --
> Łukasz Stelmach
> Samsung R&D Institute Poland
> Samsung Electronics


More information about the Dev mailing list