Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2D1E2C43381 for ; Wed, 13 Feb 2019 23:42:57 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CE84F222A4 for ; Wed, 13 Feb 2019 23:42:56 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="YYlZ0aej" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391039AbfBMXm4 (ORCPT ); Wed, 13 Feb 2019 18:42:56 -0500 Received: from mail-qt1-f194.google.com ([209.85.160.194]:34749 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727745AbfBMXm4 (ORCPT ); Wed, 13 Feb 2019 18:42:56 -0500 Received: by mail-qt1-f194.google.com with SMTP id w4so4879142qtc.1 for ; Wed, 13 Feb 2019 15:42:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=tgaihB++4AYflxtr3KO+TB0vXd8NsT9DZfBBh/v7g64=; b=YYlZ0aejPiEc9ki3GKFvUUPBOjISzTn5tbe8dYOHFCywvZjgDMCysY6Ok4litJR0Al PqEYwo0wxlJ1J8V1+m/jT1Tn94ABBeHVNtOejL+q909MhyhmxoYEC7BlZsaTBaTxNKtZ 9FCqM6nwsJQXnjgRTUR1qxLbFTNoyylQaaVVg= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=tgaihB++4AYflxtr3KO+TB0vXd8NsT9DZfBBh/v7g64=; b=NUisC3rbl2ss0mEB83Y2R/7/uTFzbtRFk9BONwstOgIuniG5/JX28n+vkAPUgtFExa rqeVdGD5Gq/+YrnburDp26bbuOiQgFc4FgeLVan4jrMtO/UO9T1vwsxJQYxp5F8SgGxb P6NKVrxouW3qRIFl/KDXJaRsRWl/Us/v6wwQy1HxqP99XFCWLYe8YeGlSmpmQhlsiWrE hk6CwqlhAe8evG/7Ur3i18yYUzRF8epSoSFWC2H4O4ly9wp8To7UXNB4bhYOgj/HjcpC 69fuN/5C51M4kC5sT/SPUMUA8/mdEaXQtZkkN3dKqFst7cD5I7Jr5dm9bPXw65j/kGgd mOYw== X-Gm-Message-State: AHQUAuYDVnACMtpw7ua0BdZf/arV7idrDvTj9QNdu4Ao4cONdJhg87Y7 dDufa0TESZVN9flDurZi2aSLGFWry0c= X-Google-Smtp-Source: AHgI3IaiP1vKAGVPmSzzWHU+bIDqKhQoC5Z1yNZ179oPOhnMQRkTgXfYFP9ypt69lsv+nRI+JpAj9w== X-Received: by 2002:a0c:c584:: with SMTP id a4mr589582qvj.227.1550101374574; Wed, 13 Feb 2019 15:42:54 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id a185sm497818qkb.1.2019.02.13.15.42.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 13 Feb 2019 15:42:54 -0800 (PST) Subject: Re: [PATCH] New interface to dontaudit access to cert_t To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190212130456.11572-1-dsugar@tresys.com> From: Chris PeBenito Message-ID: <8982046d-990a-29f5-6d76-d202ce647845@ieee.org> Date: Wed, 13 Feb 2019 18:42:53 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190212130456.11572-1-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/12/19 8:05 AM, Sugar, David wrote: > I'm seeing a bunch of denials for various processes (some refpolicy > domains, some my own application domains) attempting to access > /etc/pki. They seem to be working OK even with the denial. Adding > interface to dontaudit this stuff and calling the interface. > > type=AVC msg=audit(1549932300.668:266): avc: denied { search } for pid=7077 comm="X" name="pki" dev="dm-1" ino=138 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 > type=AVC msg=audit(1549932306.553:430): avc: denied { search } for pid=7345 comm="clamd" name="pki" dev="dm-1" ino=138 scontext=system_u:system_r:clamd_t:s0:c1 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 My guess is there is some common library between them (maybe glibc) which is triggering this. It seems like this might potentially cover up legitimate access. It's just hard to tell by just dir searches. > Signed-off-by: Dave Sugar > --- > policy/modules/services/clamav.te | 1 + > policy/modules/services/xserver.te | 1 + > policy/modules/system/miscfiles.if | 20 ++++++++++++++++++++ > 3 files changed, 22 insertions(+) > > diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te > index 622453e3..ad19cc7b 100644 > --- a/policy/modules/services/clamav.te > +++ b/policy/modules/services/clamav.te > @@ -147,6 +147,7 @@ auth_use_nsswitch(clamd_t) > > logging_send_syslog_msg(clamd_t) > > +miscfiles_dontaudit_search_generic_certs(clamd_t) > miscfiles_read_localization(clamd_t) > > tunable_policy(`clamd_use_jit',` > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index a2b08a89..da1c0c7d 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -804,6 +804,7 @@ locallogin_use_fds(xserver_t) > logging_send_syslog_msg(xserver_t) > logging_send_audit_msgs(xserver_t) > > +miscfiles_dontaudit_search_generic_certs(xserver_t) > miscfiles_read_localization(xserver_t) > miscfiles_read_fonts(xserver_t) > > diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if > index 93c1f9c1..cecdb406 100644 > --- a/policy/modules/system/miscfiles.if > +++ b/policy/modules/system/miscfiles.if > @@ -131,6 +131,26 @@ interface(`miscfiles_read_generic_certs',` > read_lnk_files_pattern($1, cert_t, cert_t) > ') > > +######################################## > +## > +## Do not audit attempts to search > +## on a generic certs directory. > +## > +## > +## > +## Domain to not audit. > +## > +## > +## > +# > +interface(`miscfiles_dontaudit_search_generic_certs',` > + gen_require(` > + type cert_t; > + ') > + > + dontaudit $1 cert_t:dir search; > +') > + > ######################################## > ## > ## Manage generic SSL/TLS certificates. > -- Chris PeBenito