Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 64659C43381 for ; Sat, 16 Feb 2019 19:40:42 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 26E52222E0 for ; Sat, 16 Feb 2019 19:40:42 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="FdB4ahqO" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727264AbfBPTkm (ORCPT ); Sat, 16 Feb 2019 14:40:42 -0500 Received: from mail-qt1-f195.google.com ([209.85.160.195]:37980 "EHLO mail-qt1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726000AbfBPTkl (ORCPT ); Sat, 16 Feb 2019 14:40:41 -0500 Received: by mail-qt1-f195.google.com with SMTP id 2so14893572qtb.5 for ; Sat, 16 Feb 2019 11:40:40 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=s3/JlFGF9MAVYGXqpP04D2AuEPS8K5XU/lPJzYKtdn0=; b=FdB4ahqOrmZtVy5I9Xj/Ng0E2O6PRjUz1gG9q/yXgC1gT578xGyu+AbPR0jiYoCN99 EP/keJ6okOSjj+MBaEIVdcytmcG9J/FDHkL/UdPVDQ+QTKe8JPMktorEXOOXPvgTPvUI DHvsmgKjXrsvOAzNOEtMyGjwkHgFx7c4hvJpE= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=s3/JlFGF9MAVYGXqpP04D2AuEPS8K5XU/lPJzYKtdn0=; b=FjWq7tCxr5L504CiPu0Oh21MOq8uhanlgWcVRVkgmOZ9rM97w1Sx7n0mSvcuk3ZH3f c5clgcCvklqb9VEc/XFRZMkQN3tkcZFauHaPNJOrSf9YwemNYmB5VxsLkYAQB6ka114p QfcGYqJJAcceBr2NjOhOsnmNQ2FsUbyaU2f2N7OdtFDhv+urqwl9z6oAK8x3uTPTz7Gc NqXLPVT6P/jT6nTJgPAuXD5GMYRZdKIcVVMuWi6wn4cPg17zFyKS/djmwobeQMvwROPG y6Ztzix52GgBvlv5y60JhStsF6jZYe2CEjCYTq1zM0VLOP81ckoOMfJx7DAf8Jl/Unn9 2FoQ== X-Gm-Message-State: AHQUAuaGvOjfnTY8+Y5QzxEryr78lbrZ3ZqhCs5x4Su6FWXDM+Bsx5u4 WMgkUURXsS0vqg1rHucVn8N6TDYy700= X-Google-Smtp-Source: AHgI3IZAMXQ8esyiXHtqoTMvY5Lb7saM3yR9ozlUGSnlV7xKM87F+A6kyQZfZZ/8RP5x+zRMGwosnw== X-Received: by 2002:ac8:1414:: with SMTP id k20mr12348444qtj.298.1550346040202; Sat, 16 Feb 2019 11:40:40 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id x17sm5894410qtm.43.2019.02.16.11.40.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 16 Feb 2019 11:40:39 -0800 (PST) Subject: Re: [PATCH] New interface to dontaudit access to cert_t To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190212130456.11572-1-dsugar@tresys.com> <8982046d-990a-29f5-6d76-d202ce647845@ieee.org> From: Chris PeBenito Message-ID: <4563f4e3-7525-f19c-55a6-45caca5786f7@ieee.org> Date: Sat, 16 Feb 2019 14:40:38 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 8bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 2/14/19 8:56 AM, Sugar, David wrote: > > > On 2/13/19 6:42 PM, Chris PeBenito wrote: >> On 2/12/19 8:05 AM, Sugar, David wrote: >>> I'm seeing a bunch of denials for various processes (some refpolicy >>> domains, some my own application domains) attempting to access >>> /etc/pki.  They seem to be working OK even with the denial.  Adding >>> interface to dontaudit this stuff and calling the interface. >>> >>> type=AVC msg=audit(1549932300.668:266): avc:  denied  { search } for >>> pid=7077 comm="X" name="pki" dev="dm-1" ino=138 >>> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 >>> tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 >>> type=AVC msg=audit(1549932306.553:430): avc:  denied  { search } for >>> pid=7345 comm="clamd" name="pki" dev="dm-1" ino=138 >>> scontext=system_u:system_r:clamd_t:s0:c1 >>> tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0 >> >> My guess is there is some common library between them (maybe glibc) >> which is triggering this.  It seems like this might potentially cover up >> legitimate access.  It's just hard to tell by just dir searches. >> > > Digging into this I have found a few things, and please note that I am > not seeing this denial in permissive. > > Looking at strace for clamd I see an attempt to open the (non-existent) > file /etc/pki/tls/legacy-settings. I think this would explain the > denial on dir search. > > If I create that file (even empty) labeled cert_t I see denials (in > permissive) for clamd_t cert_t:file { getattr open read }. > > audit2allow suggests the boolean 'authlogin_nsswitch_use_ldap' should > resolve the issue (for clamd_t). This makes sense as clamd uses the > interface auth_use_nsswitch(clamd_t). > > So, assuming that I don't want to enable 'authlogin_nsswitch_use_ldap' > is there a way to quiet this denial? The dontaudit could go in the else block for that tunable. -- Chris PeBenito