Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/clamav.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 3639d769..0dc1e23c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -263,11 +263,11 @@ interface(`clamav_scannable_files',`
#
interface(`clamav_enabledisable_clamd',`
gen_require(`
- type clamav_unit_t;
+ type clamd_unit_t;
class service { enable disable };
')
- allow $1 clamav_unit_t:service { enable disable };
+ allow $1 clamd_unit_t:service { enable disable };
')
########################################
--
2.20.1
type=AVC msg=audit(1550894180.137:3099): avc: denied { search } for pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550894180.137:3099): avc: denied { read } for pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550894180.137:3099): avc: denied { open } for pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/clamav.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 622453e3..db4e0209 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -202,6 +202,7 @@ stream_connect_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t, clamd_t)
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
kernel_dontaudit_list_proc(freshclam_t)
+kernel_read_crypto_sysctls(freshclam_t)
kernel_read_kernel_sysctls(freshclam_t)
kernel_read_network_state(freshclam_t)
kernel_read_system_state(freshclam_t)
--
2.20.1
type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/admin/aide.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 9d3c19ce..6297b60e 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
+kernel_dgram_send(aide_t)
+
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
--
2.20.1
type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/admin/aide.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 6297b60e..f58ba850 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -36,6 +36,7 @@ files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
kernel_dgram_send(aide_t)
+kernel_read_crypto_sysctls(aide_t)
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
--
2.20.1
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning. RHEL7 has set this option in the
aide rpm they distribute.
Changes made to add a tunable to enable permissions allowing
aide to map files that it needs. I have set the default to
false as this seems perfered (in my mind).
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/admin/aide.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index f58ba850..fe52a280 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
# Declarations
#
+## <desc>
+## <p>
+## Control if AIDE can mmap files.
+## AIDE can be compiled with the option 'with-mmap' in which case it will
+## attempt to mmap files while running.
+## </p>
+## </desc>
+gen_tunable(aide_mmap_files, false)
+
attribute_role aide_roles;
type aide_t;
@@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
userdom_use_user_terminals(aide_t)
+tunable_policy(`aide_mmap_files',`
+ files_map_non_auth_files(aide_t)
+')
+
optional_policy(`
seutil_use_newrole_fds(aide_t)
')
--
2.20.1
Currently freshclam can only be started from cron or init. This adds
the option of starting from a different process and optionally
transitioning or staying in the callers domain.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/clamav.if | 64 +++++++++++++++++++++++++++++++
1 file changed, 64 insertions(+)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 0dc1e23c..30d0b814 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -251,6 +251,70 @@ interface(`clamav_scannable_files',`
typeattribute $1 clam_scannable_type;
')
+########################################
+## <summary>
+## Execute a domain transition to run freshclam.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamav_domtrans_freshclam',`
+ gen_require(`
+ type freshclam_t, freshclam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, freshclam_exec_t, freshclam_t)
+')
+
+########################################
+## <summary>
+## Execute freshclam in the freshclam domain, and
+## allow the specified role the freshclam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_run_freshclam',`
+ gen_require(`
+ type freshclam_t;
+ ')
+
+ clamav_domtrans_freshclam($1)
+ role $2 types freshclam_t;
+')
+
+########################################
+## <summary>
+## Execute freshclam in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_exec_freshclam',`
+ gen_require(`
+ type freshclam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, freshclam_exec_t)
+')
+
########################################
## <summary>
## Allow specified domain to enable clamd units
--
2.20.1
"Sugar, David" <[email protected]> writes:
> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
> pid=7182 comm="aide" path="/dev/log"
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
> permissive=1
Is this not part of logging_send_syslog_msg()? It should be AFAIK.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/admin/aide.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
> index 9d3c19ce..6297b60e 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
> files_read_all_files(aide_t)
> files_read_all_symlinks(aide_t)
>
> +kernel_dgram_send(aide_t)
> +
> logging_send_audit_msgs(aide_t)
> logging_send_syslog_msg(aide_t)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
On 2/26/19 1:52 AM, Dominick Grift wrote:
> "Sugar, David" <[email protected]> writes:
>
>> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
>> pid=7182 comm="aide" path="/dev/log"
>> scontext=system_u:system_r:aide_t:s0
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>> permissive=1
>
> Is this not part of logging_send_syslog_msg()? It should be AFAIK.
>
Looking at logging.if I don't see any kernel interfaces used. So, no it
isn't in there currently. Based on how logging seems to now work with
journald it might be a good idea to move these individual uses and just
rely on the loggin_send_syslog_msg interface to take care of it.
I'm happy to make this change if that is desired.
>>
>> Signed-off-by: Dave Sugar <[email protected]>
>> ---
>> policy/modules/admin/aide.te | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>> index 9d3c19ce..6297b60e 100644
>> --- a/policy/modules/admin/aide.te
>> +++ b/policy/modules/admin/aide.te
>> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>> files_read_all_files(aide_t)
>> files_read_all_symlinks(aide_t)
>>
>> +kernel_dgram_send(aide_t)
>> +
>> logging_send_audit_msgs(aide_t)
>> logging_send_syslog_msg(aide_t)
>
"Sugar, David" <[email protected]> writes:
> On 2/26/19 1:52 AM, Dominick Grift wrote:
>> "Sugar, David" <[email protected]> writes:
>>
>>> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
>>> pid=7182 comm="aide" path="/dev/log"
>>> scontext=system_u:system_r:aide_t:s0
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>> permissive=1
>>
>> Is this not part of logging_send_syslog_msg()? It should be AFAIK.
>>
> Looking at logging.if I don't see any kernel interfaces used. So, no it
> isn't in there currently. Based on how logging seems to now work with
> journald it might be a good idea to move these individual uses and just
> rely on the loggin_send_syslog_msg interface to take care of it.
>
I see. I will let other decides on how to deal with this. In dssp2 i
have:
(call sys.unix_dgram_socket_sendto (client_subj_type_attribute))
(call sys.unix_stream_socket_connectto (client_subj_type_attribute))
Not sure why i also added the "unix_stream_socket connectto;", but i suppose
there was a need for it at some point at least.
> I'm happy to make this change if that is desired.
>
>>>
>>> Signed-off-by: Dave Sugar <[email protected]>
>>> ---
>>> policy/modules/admin/aide.te | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>>> index 9d3c19ce..6297b60e 100644
>>> --- a/policy/modules/admin/aide.te
>>> +++ b/policy/modules/admin/aide.te
>>> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>>> files_read_all_files(aide_t)
>>> files_read_all_symlinks(aide_t)
>>>
>>> +kernel_dgram_send(aide_t)
>>> +
>>> logging_send_audit_msgs(aide_t)
>>> logging_send_syslog_msg(aide_t)
>>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto }
> for pid=7182 comm="aide" path="/dev/log"
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
> permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/admin/aide.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index 9d3c19ce..6297b60e 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
> files_read_all_files(aide_t)
> files_read_all_symlinks(aide_t)
>
> +kernel_dgram_send(aide_t)
> +
> logging_send_audit_msgs(aide_t)
> logging_send_syslog_msg(aide_t)
I merged this. Since there are only a few domains with this
permission, I'd rather keep it separate. Should many more domains need
this access, then we can reassess.
--
Chris PeBenito
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550799594.212:164): avc: denied { search }
> for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1550799594.212:164): avc: denied { read }
> for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550799594.212:164): avc: denied { open }
> for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550799594.213:165): avc: denied { getattr }
> for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/admin/aide.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index 6297b60e..f58ba850 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -36,6 +36,7 @@ files_read_all_files(aide_t)
> files_read_all_symlinks(aide_t)
>
> kernel_dgram_send(aide_t)
> +kernel_read_crypto_sysctls(aide_t)
>
> logging_send_audit_msgs(aide_t)
> logging_send_syslog_msg(aide_t)
Merged.
--
Chris PeBenito
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> AIDE has a compile time option WITH_MMAP which allows AIDE to
> map files during scanning. RHEL7 has set this option in the
> aide rpm they distribute.
>
> Changes made to add a tunable to enable permissions allowing
> aide to map files that it needs. I have set the default to
> false as this seems perfered (in my mind).
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/admin/aide.te | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index f58ba850..fe52a280 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Control if AIDE can mmap files.
> +## AIDE can be compiled with the option 'with-mmap' in which case
> it will
> +## attempt to mmap files while running.
> +## </p>
> +## </desc>
> +gen_tunable(aide_mmap_files, false)
> +
> attribute_role aide_roles;
>
> type aide_t;
> @@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
>
> userdom_use_user_terminals(aide_t)
>
> +tunable_policy(`aide_mmap_files',`
> + files_map_non_auth_files(aide_t)
> +')
> +
> optional_policy(`
> seutil_use_newrole_fds(aide_t)
> ')
Merged.
--
Chris PeBenito
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> Currently freshclam can only be started from cron or init. This adds
> the option of starting from a different process and optionally
> transitioning or staying in the callers domain.
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/clamav.if | 64
> +++++++++++++++++++++++++++++++
> 1 file changed, 64 insertions(+)
>
> diff --git a/policy/modules/services/clamav.if
> b/policy/modules/services/clamav.if
> index 0dc1e23c..30d0b814 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -251,6 +251,70 @@ interface(`clamav_scannable_files',`
> typeattribute $1 clam_scannable_type;
> ')
>
> +########################################
> +## <summary>
> +## Execute a domain transition to run freshclam.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_domtrans_freshclam',`
> + gen_require(`
> + type freshclam_t, freshclam_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, freshclam_exec_t, freshclam_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute freshclam in the freshclam domain, and
> +## allow the specified role the freshclam domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`clamav_run_freshclam',`
> + gen_require(`
> + type freshclam_t;
> + ')
> +
> + clamav_domtrans_freshclam($1)
> + role $2 types freshclam_t;
> +')
> +
> +########################################
> +## <summary>
> +## Execute freshclam in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_exec_freshclam',`
> + gen_require(`
> + type freshclam_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, freshclam_exec_t)
> +')
> +
> ########################################
> ## <summary>
> ## Allow specified domain to enable clamd units
Merged.
--
Chris PeBenito
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550894180.137:3099): avc: denied { search }
> for pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208
> scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1550894180.137:3099): avc: denied { read }
> for pid=11039 comm="freshclam" name="fips_enabled" dev="proc"
> ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550894180.137:3099): avc: denied { open }
> for pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-
> s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/clamav.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/clamav.te
> b/policy/modules/services/clamav.te
> index 622453e3..db4e0209 100644
> --- a/policy/modules/services/clamav.te
> +++ b/policy/modules/services/clamav.te
> @@ -202,6 +202,7 @@ stream_connect_pattern(freshclam_t,
> clamd_var_run_t, clamd_var_run_t, clamd_t)
> read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
>
> kernel_dontaudit_list_proc(freshclam_t)
> +kernel_read_crypto_sysctls(freshclam_t)
> kernel_read_kernel_sysctls(freshclam_t)
> kernel_read_network_state(freshclam_t)
> kernel_read_system_state(freshclam_t)
Merged.
--
Chris PeBenito
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/clamav.if | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/clamav.if
> b/policy/modules/services/clamav.if
> index 3639d769..0dc1e23c 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -263,11 +263,11 @@ interface(`clamav_scannable_files',`
> #
> interface(`clamav_enabledisable_clamd',`
> gen_require(`
> - type clamav_unit_t;
> + type clamd_unit_t;
> class service { enable disable };
> ')
>
> - allow $1 clamav_unit_t:service { enable disable };
> + allow $1 clamd_unit_t:service { enable disable };
> ')
>
> ########################################
Merged.
--
Chris PeBenito