2019-03-11 16:02:35

by Sugar, David

[permalink] [raw]
Subject: [PATCH] Resolve denial while changing password

I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging. This resolves those denials.

type=AVC msg=audit(1552222811.419:470): avc: denied { search } for pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc: denied { read } for pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc: denied { open } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc: denied { getattr } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1552222811.431:476): avc: denied { sendto } for pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/admin/usermanage.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index b4f8c78c..9d17645f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive };
allow passwd_t crack_db_t:dir list_dir_perms;
read_files_pattern(passwd_t, crack_db_t, crack_db_t)

+kernel_dgram_send(passwd_t)
+kernel_read_crypto_sysctls(passwd_t)
kernel_read_kernel_sysctls(passwd_t)

# for SSP
--
2.20.1



2019-03-12 01:01:22

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] Resolve denial while changing password

On 3/11/19 12:02 PM, Sugar, David wrote:
> I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
> and sending message for logging. This resolves those denials.
>
> type=AVC msg=audit(1552222811.419:470): avc: denied { search } for pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1552222811.419:470): avc: denied { read } for pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1552222811.419:470): avc: denied { open } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1552222811.419:471): avc: denied { getattr } for pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1552222811.431:476): avc: denied { sendto } for pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/admin/usermanage.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index b4f8c78c..9d17645f 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive };
> allow passwd_t crack_db_t:dir list_dir_perms;
> read_files_pattern(passwd_t, crack_db_t, crack_db_t)
>
> +kernel_dgram_send(passwd_t)
> +kernel_read_crypto_sysctls(passwd_t)
> kernel_read_kernel_sysctls(passwd_t)
>
> # for SSP

Merged. I added a comment for the /dev/log usage.

--
Chris PeBenito