Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2FA80C43381 for ; Wed, 20 Feb 2019 16:37:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id CAACF2147C for ; Wed, 20 Feb 2019 16:37:49 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="I78KYJqF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726183AbfBTQht (ORCPT ); Wed, 20 Feb 2019 11:37:49 -0500 Received: from mail-eopbgr800108.outbound.protection.outlook.com ([40.107.80.108]:4064 "EHLO NAM03-DM3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726012AbfBTQht (ORCPT ); Wed, 20 Feb 2019 11:37:49 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ystdwLpWYl+tu/I0WQFYN7aKcosSxcZkyru4t5G7cMk=; b=I78KYJqFOXpIXfZ/JPjUrfXQclQvObLebuvxmHtCqLJt3uBAHT/JBQWc9LxpxYjhO0FemfpkTCFg1KpYPRyQ181GCYe53leqWZwAwr9YZQ7eec72ucZ7PYxcqRCJnO7jVZpRyagWQsoujwSD27/FG7ljJBraCra60rb2NVpJVMQ= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1746.namprd15.prod.outlook.com (10.174.114.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.15; Wed, 20 Feb 2019 16:37:47 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce%3]) with mapi id 15.20.1622.020; Wed, 20 Feb 2019 16:37:47 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH v2] New interface to dontaudit access to cert_t Thread-Topic: [PATCH v2] New interface to dontaudit access to cert_t Thread-Index: AQHUyTqcjIw14SKca0q68lfrbIaQXg== Date: Wed, 20 Feb 2019 16:37:46 +0000 Message-ID: <20190220163709.27002-2-dsugar@tresys.com> References: <20190220163709.27002-1-dsugar@tresys.com> In-Reply-To: <20190220163709.27002-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [73.180.141.176] x-clientproxiedby: BN6PR18CA0021.namprd18.prod.outlook.com (2603:10b6:404:121::31) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: e5cc1d0e-6150-4f78-fe0b-08d69751be60 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600110)(711020)(4605104)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1746; x-ms-traffictypediagnostic: BN6PR15MB1746: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1746;23:KrlCrhCNTkyN4MVzDNUOHKsaev1R6wnnffPO04F?= =?iso-8859-1?Q?OR0jcukja6jtec4Q3krRNK0XKdDVfucSD3/6EvlR1RsbZHt07auf2Ev+Is?= =?iso-8859-1?Q?o2ptWH86RhgCKc4J9vK0OvW6tUle8oAi9F/wsir9xaJVcL3Zad4hOrjEx7?= =?iso-8859-1?Q?j+Gzo3rfxKRO8f6yDr1vHTB2oxfU+9nSuaUkNNbro6QVHDYZkDtV2+G3UI?= =?iso-8859-1?Q?huZdSU17JO1yGXBKsISojvTht+nwNptDHfmlP4HNbjcns42tuRzXbuKFjg?= =?iso-8859-1?Q?N7nNklRLvQvaYqe1dn0+4qrUaf/Z/KS/qKmPTqhN5c47etpcWpBa/sogK1?= =?iso-8859-1?Q?ReRJTctjM1dZYEP1YnoC1/37iom5LnqO9IuG97LuLOVZk52/Vi0JOvwDGm?= =?iso-8859-1?Q?hp30nYJ74fCUAbWrtMTVSeJxSFxXdUslwsOdYIAs18zLh+HdJjQeaGfalf?= =?iso-8859-1?Q?qlisyXaF+KFi3nFS0PF3VCtkmEvcpy4tNljOD7h2Oz8mWoalgXnyC6WF6c?= =?iso-8859-1?Q?1nbkE3wMhPOyqHqlw/jog7STmSyItSje2oZaNIg/RWcux6OOeRVtms+Wsu?= =?iso-8859-1?Q?JDpG6v5mW12LsBeEmicVXIBUw8C9Q6jyKbU8SF9LV10Dd22v5lOgrPCSIN?= =?iso-8859-1?Q?ppbxXW2cxTuoVzrSRztxAHCXN1kMtELay3bS+3by6990MZfd+Rqp+5xYuR?= =?iso-8859-1?Q?KTGzjdyM2F0unoSNC50opg+JIB+ksd/fn6g+oSBuuo0TwiYScNfrCjoJgO?= =?iso-8859-1?Q?1ERVM8WbLOnhODgC+K6LLz5x4VSFsxbc/OD7NU1oM+XiFABwA3/APBMNKd?= =?iso-8859-1?Q?ANAhRwEPUtSPAyh/Wtig3WHQA8dBrk84QWMPwue5TGDm/Kf2m3mqvUPvAw?= =?iso-8859-1?Q?gjASe7isgoL2IpMn2EYyb4cxpA3LQdbT5a2xXBhs4bp71Pm/+QJHqwQy6C?= =?iso-8859-1?Q?pZUQip9YjVhCXU6GxOxCrB9gBQCXHQNAo6jZY71lXsGlj/wTo52TQVyuxD?= =?iso-8859-1?Q?gyR4xcVd4/AL2TvUj7yxfMILDWvmZm3oNTaMfsKz2RGue0d6oJa26W08Vi?= =?iso-8859-1?Q?7Y6GIcJzGF0SQBELGsRyGyDvrir9f4i83l4/3qz9gKJeplBRzK/BUjZP3/?= =?iso-8859-1?Q?EkbZEL8ypJZ5SgD9EDkIihL6x9A2jP9d6s+/CBLl8JW5Ku8dV7EJtHKAfS?= =?iso-8859-1?Q?eKuhEy46r3ihtUwECKOgo8EjNILxpSWCmBMTu+oTJLbS9HuqWVnc0njdrI?= =?iso-8859-1?Q?Wfql4zGX1uGokTlJGl2xAd++y4RqL3KnFDxhgiP26K/XUJW/Q6O24GWHoY?= =?iso-8859-1?Q?7A=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 0954EE4910 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(366004)(376002)(346002)(136003)(396003)(39840400004)(189003)(199004)(106356001)(486006)(25786009)(68736007)(186003)(81156014)(8676002)(99286004)(6512007)(11346002)(66066001)(8936002)(102836004)(50226002)(5660300002)(508600001)(2501003)(26005)(105586002)(446003)(305945005)(2616005)(476003)(386003)(6506007)(7736002)(14444005)(256004)(81166006)(97736004)(6916009)(3846002)(6116002)(2906002)(71200400001)(316002)(36756003)(2351001)(71190400001)(52116002)(53936002)(86362001)(14454004)(76176011)(6436002)(6486002)(1076003)(5640700003);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1746;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 8V3L2lnI2cNGNId3fBUCej9XL2IrTl7tg6bJJibxg5hDJKtrQfTp27nW+UR18OyKCSICdbohis40cFJ6aGWtSnUNpJUSlnbN+fa3srgG/zDsTFXaG7p5Oj/iurgZkKbAVeW39bE3JNxcDpQEimJFT9WEMiQJFZ9cEPKfAsHFWXclffG3XTksb1CtvV99GAkdBUg+xh7/avCD05NgPl5MMryLfmQUsbpomqI/8d8b86FRy8rNuAy/+OuyyCaD/vfu65DyavBs8Ixq4jFOg2+3hLdvfW3ifHl7gJW1xBQyFNYZt5846NxZqehFs/gxSqsrFlpoUw5B8+Z0r/F7M7FW0cNoVtie5yz9zA2/4gAkDZTYwCdRTVTzmm96Dx5TbgCj5ED0CPHvzhcWeBf2+WyihCOpaBWclk5ylm905/Cfw3g= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: e5cc1d0e-6150-4f78-fe0b-08d69751be60 X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Feb 2019 16:37:46.1126 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1746 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I'm seeing a bunch of denials for various processes (some refpolicy domains, some my own application domains) attempting to access /etc/pki. They seem to be working OK even with the denial. The tunable authlogin_nsswitch_use_ldap controls access to cert_t (for domains that are part of nsswitch_domain attribute). Use this new interface when that tunable is off to quiet the denials. Signed-off-by: Dave Sugar --- policy/modules/system/authlogin.te | 2 ++ policy/modules/system/miscfiles.if | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/aut= hlogin.te index 345e07f3..a98054c5 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -431,6 +431,8 @@ sysnet_dns_name_resolve(nsswitch_domain) tunable_policy(`authlogin_nsswitch_use_ldap',` miscfiles_read_generic_certs(nsswitch_domain) sysnet_use_ldap(nsswitch_domain) +',` + miscfiles_dontaudit_read_generic_certs(nsswitch_domain) ') =20 optional_policy(` diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/mis= cfiles.if index 93c1f9c1..df11794a 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -131,6 +131,27 @@ interface(`miscfiles_read_generic_certs',` read_lnk_files_pattern($1, cert_t, cert_t) ') =20 +######################################## +## +## Do not audit attempts to read generic SSL/TLS certificates. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`miscfiles_dontaudit_read_generic_certs',` + gen_require(` + type cert_t; + ') + + dontaudit $1 cert_t:dir list_dir_perms; + dontaudit $1 cert_t:file read_file_perms; + dontaudit $1 cert_t:lnk_file read_lnk_file_perms; +') + ######################################## ## ## Manage generic SSL/TLS certificates. --=20 2.20.1