Resoving a few issues with processed trying to read
/proc/sys/crypto/fips_enaled and being denied by SELinux policy.
Dave Sugar (3):
Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
Allow kmod to read /proc/sys/crypto/fips_enabled
Allow dbus to access /proc/sys/crypto/fips_enabled
policy/modules/services/dbus.te | 2 ++
policy/modules/services/xserver.te | 1 +
policy/modules/system/modutils.te | 1 +
3 files changed, 4 insertions(+)
--
2.19.2
type=AVC msg=audit(1543761322.221:211): avc: denied { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/xserver.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 7d4c0c1b..425f7bd7 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -709,6 +709,7 @@ allow xserver_t xauth_home_t:file read_file_perms;
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t, file)
+kernel_read_crypto_sysctls(xserver_t)
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
kernel_read_modprobe_sysctls(xserver_t)
--
2.19.2
type=AVC msg=audit(1543769402.716:165): avc: denied { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/modutils.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index a8125c17..73471401 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -58,6 +58,7 @@ can_exec(kmod_t, kmod_exec_t)
kernel_load_module(kmod_t)
kernel_request_load_module(kmod_t)
+kernel_read_crypto_sysctls(kmod_t)
kernel_read_system_state(kmod_t)
kernel_read_network_state(kmod_t)
kernel_write_proc_files(kmod_t)
--
2.19.2
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/dbus.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4b1e25c6..ea0af022 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
can_exec(system_dbusd_t, dbusd_exec_t)
+kernel_read_crypto_sysctls(system_dbusd_t)
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
@@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
+kernel_read_crypto_sysctls(session_bus_type)
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
--
2.19.2
On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543761322.221:211): avc: denied { search } for
> pid=16826 comm="X" name="crypto" dev="proc" ino=10257
> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543761322.221:211): avc: denied { read } for
> pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543761322.221:211): avc: denied { open } for
> pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for
> pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/xserver.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 7d4c0c1b..425f7bd7 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -709,6 +709,7 @@ allow xserver_t xauth_home_t:file read_file_perms;
> manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
> logging_log_filetrans(xserver_t, xserver_log_t, file)
>
> +kernel_read_crypto_sysctls(xserver_t)
> kernel_read_system_state(xserver_t)
> kernel_read_device_sysctls(xserver_t)
> kernel_read_modprobe_sysctls(xserver_t)
Merged.
--
Chris PeBenito
On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543769402.716:165): avc: denied { search } for
> pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
> scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543769402.716:165): avc: denied { read } for
> pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
> scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769402.716:165): avc: denied { open } for
> pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10285 scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for
> pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10285 scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/modutils.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index a8125c17..73471401 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -58,6 +58,7 @@ can_exec(kmod_t, kmod_exec_t)
>
> kernel_load_module(kmod_t)
> kernel_request_load_module(kmod_t)
> +kernel_read_crypto_sysctls(kmod_t)
> kernel_read_system_state(kmod_t)
> kernel_read_network_state(kmod_t)
> kernel_write_proc_files(kmod_t)
Merged.
--
Chris PeBenito
On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
> pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
> pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
> pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
> pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
> pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
> pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
> pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
> pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/dbus.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 4b1e25c6..ea0af022 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
>
> can_exec(system_dbusd_t, dbusd_exec_t)
>
> +kernel_read_crypto_sysctls(system_dbusd_t)
> kernel_read_system_state(system_dbusd_t)
> kernel_read_kernel_sysctls(system_dbusd_t)
>
> @@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
> manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
>
> +kernel_read_crypto_sysctls(session_bus_type)
> kernel_read_system_state(session_bus_type)
> kernel_read_kernel_sysctls(session_bus_type)
Merged.
--
Chris PeBenito