DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 8BC4320848
From:   David Sugar <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 1/3] Allow clamd_t to read /proc/sys/crypt/fips_enabled
Thread-Topic: [PATCH 1/3] Allow clamd_t to read /proc/sys/crypt/fips_enabled
Thread-Index: AQHUckRPg738L9n/0EON6MyaTRnzVA==
Date:   Fri, 2 Nov 2018 00:38:01 +0000
Message-ID: <20181102003727.22500-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1;BN6PR15MB1329;6:WtrRThl2UqPmAklORK5V6YnWdXd3aksIZSKS9TV5Nn0/lnBpjpTmSRoOzjMy++AytVkCEKh9jqCDvjGsDF1rO6tG2s5TAqZhoG/eRGAV7prZwH1d6mNc/V8n5mGKqbuLVHzo8K/0b+iwY//7LuDn3+i1NffTVOVrts7daJSdcomTb55nprLeexdjdBTxgNKbwMl6w4HqDOGOo02MfafuBZgjgo9GG0l8T0GhFXlwWQRNZdC/czxjzS/GqXlDfZhYX8WPFAzT/Xmg8rjQMBZ8RUMCT436FJb6q3Ul9cWrobWgS8PFggkOabUqEy/hOY4ph26ABX6q8+v6cZaABrGTG7dAfoptfNNj/yN+OoYTgvB9hFbOEsuXahA/uuCDopwUSXbK8WySJfEu3Kz2RJEYmOdKNSHfI2V/23xVi4QRI5jdLg4jpfwIzNGqqgZgmGUsOpIDGaa0HxSK3kAjTX4yzQ==;5:boCldfrbOeGZWbb5gj1NSS/6nqMZkR3qMM1jIdwAwnLj8SR89b794O/Xe3gQswA+/UnFtWoBwWUtF4hzJFP/IpKSK44ftPxrQuL9kqNJAkQgbT7W6EiJsgvFEGhbQsqVce0/Iydpdujy6yEB1Eoa8wVHT0FRikeKNRbOGq/cKRo=;7:OLDwg1+SE3JMPeL7U2PDbqSCp4R2d92FiPC+5Ym+w+oN1T/YWw9a1xUIbjJdudYtfSfnV/SKhdqCpmDrI2UFcSQFV7NLGYoeWVbTNmLdD9OBNwlPtK3/lI4glAV4OGh6iS0AWQ2zLrzc3GmT2N6Esw==
x-ms-office365-filtering-correlation-id: 094b0a5c-8cfc-4395-209b-08d6405b71e1
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600074)(711020)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1329;
x-ms-traffictypediagnostic: BN6PR15MB1329:
x-microsoft-antispam-prvs: <BN6PR15MB1329416947D14FDFF7E3DCF6B9CF0@BN6PR15MB1329.namprd15.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3231382)(944501410)(52105095)(93006095)(93001095)(3002001)(10201501046)(148016)(149066)(150057)(6041310)(20161123564045)(20161123560045)(2016111802025)(20161123558120)(20161123562045)(6043046)(201708071742011)(7699051)(76991095);SRVR:BN6PR15MB1329;BCL:0;PCL:0;RULEID:;SRVR:BN6PR15MB1329;
x-forefront-prvs: 08444C7C87
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(979002)(366004)(396003)(39830400003)(136003)(346002)(376002)(189003)(199004)(186003)(14454004)(36756003)(81156014)(81166006)(2501003)(5660300001)(52116002)(6116002)(6436002)(508600001)(6486002)(6506007)(386003)(3846002)(8936002)(68736007)(2906002)(86362001)(8676002)(106356001)(99286004)(2900100001)(97736004)(102836004)(26005)(2351001)(256004)(476003)(2616005)(105586002)(53936002)(25786009)(7736002)(5640700003)(1076002)(305945005)(71190400001)(71200400001)(6512007)(486006)(66066001)(316002)(6916009)(969003)(989001)(999001)(1009001)(1019001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1329;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-microsoft-antispam-message-info: cWbB9Spl35GiLoBfXWxdx5X22Es1Yr/KeAs7OmhxBC1eS1UWWUxkgEoie9+maC/bnco9oo0iGi8CEV5Y52warPApd5TJZJ8CSevWHeVJWmbaPkdk1s8A2G0bFHrIcSKPGoUSyvayDtVI6fAhCboGtMKZRfBEvdryUeDQ5S3rYaAtV5dMOKZjLTCfJ10p+S6Fc7dmJHCLyNNp2HVId7JapNGcJodACxqtuUtha254iMG2D2yssWq22vV1ZUUp7xOaGNwrLsI6icz8K2fcvRV6LvV8nXbic4p0GvYETQkm+cVGhcOq7zyfLDFGuVDwFjjgRzMcjRoorQ+3JL5oVSo17ulUALtquLAQzjAKRJYnaFw=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 094b0a5c-8cfc-4395-209b-08d6405b71e1
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2018 00:38:01.8236
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1329
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


To fix the following denials:
type=3DAVC msg=3Daudit(1540821927.216:215): avc:  denied  { search } for
pid=3D1726 comm=3D"clamd" name=3D"crypto" dev=3D"proc" ino=3D68
scontext=3Dsystem_u:system_r:clamd_t:s0
tcontext=3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Ddir
type=3DAVC msg=3Daudit(1540821927.216:215): avc:  denied  { read } for
pid=3D1726 comm=3D"clamd" name=3D"fips_enabled" dev=3D"proc" ino=3D69
scontext=3Dsystem_u:system_r:clamd_t:s0
tcontext=3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Dfile
type=3DAVC msg=3Daudit(1540821927.216:215): avc:  denied  { open } for
pid=3D1726 comm=3D"clamd" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"pro=
c"
ino=3D69 scontext=3Dsystem_u:system_r:clamd_t:s0
tcontext=3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Dfile
type=3DAVC msg=3Daudit(1540821927.216:216): avc:  denied  { getattr } for
pid=3D1726 comm=3D"clamd" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"pro=
c"
ino=3D69 scontext=3Dsystem_u:system_r:clamd_t:s0
tcontext=3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Dfile

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/cl=
amav.te
index 5db29776..a2f30133 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -104,6 +104,7 @@ manage_sock_files_pattern(clamd_t, clamd_var_run_t, cla=
md_var_run_t)
 files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
=20
 kernel_dontaudit_list_proc(clamd_t)
+kernel_read_crypto_sysctls(clamd_t)
 kernel_read_sysctl(clamd_t)
 kernel_read_kernel_sysctls(clamd_t)
 kernel_read_system_state(clamd_t)
--=20
2.14.4