Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7F657C43381 for ; Mon, 25 Feb 2019 23:37:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 2C5DC218AD for ; Mon, 25 Feb 2019 23:37:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="l7++bbfb" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727323AbfBYXhu (ORCPT ); Mon, 25 Feb 2019 18:37:50 -0500 Received: from mail-eopbgr790104.outbound.protection.outlook.com ([40.107.79.104]:63568 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726971AbfBYXhu (ORCPT ); Mon, 25 Feb 2019 18:37:50 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8x9+siGAwAyGjgy/ECC4ywjnHshbqsZyOF+v1EqEPzM=; b=l7++bbfbbb/Npu3+NLiozxM6C95PhprjhG0MW/cb2lx2B4Lh4nzC6zclCpAecPdyaG89Ca5phH/ZtpXXQsiOXbFqkHZ8NQdn9MmN7i8CiVBMXwWURLDVzbduzmPdFoSEwv6JFs/8R/4aNWPEWdpgIvQofBMuQQgtwCncqxR1otU= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1843.namprd15.prod.outlook.com (10.174.113.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Mon, 25 Feb 2019 23:37:46 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce%3]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019 23:37:46 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Allow freshclam to read sysctl_crypto_t Thread-Topic: [PATCH] Allow freshclam to read sysctl_crypto_t Thread-Index: AQHUzWMcJMLKDA/H/UWARQFHdBYNrQ== Date: Mon, 25 Feb 2019 23:37:45 +0000 Message-ID: <20190225233708.15319-3-dsugar@tresys.com> References: <20190225233708.15319-1-dsugar@tresys.com> In-Reply-To: <20190225233708.15319-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [73.180.141.176] x-clientproxiedby: BN6PR1401CA0006.namprd14.prod.outlook.com (2603:10b6:405:4b::16) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d73702b5-f98a-4971-4fb1-08d69b7a3e67 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1843; x-ms-traffictypediagnostic: BN6PR15MB1843: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1843;23:aFyVSTBoqlBgsu32xCOaygA5bZ4pDPsOqj9D4NS?= =?iso-8859-1?Q?bJrFRfwp6Z9AB0WPzp6W0m6tZxQTwixP3YMLl+oZPs3nmwrB3XcYpJ8ckr?= =?iso-8859-1?Q?5ATNV2yGlRbAKczgI5k3wh+nZKZejpGL4CPkcl/XcbOcaqNkzJNCdaGKqY?= =?iso-8859-1?Q?Q2vEoeTAzKkp/XG7s5JcJS9ke4JDUEFy9jZMbK93mQ98UfEMzdfeMmjmYJ?= =?iso-8859-1?Q?EEg9+7s1Ecy3IU2DgyQiJmEPfBUaFXe2R3MrhRuAHogy2gkPonZKF6w5k1?= =?iso-8859-1?Q?agtDw5ULxFnx4NBtUXMSfPqwz8eG/mkL2v1yBy17vsERNy0Elc4BONI3Uo?= =?iso-8859-1?Q?rgM93UroHOG4/BmZO8vB7jRcoIZ1sKmBr5OlSiZQLd7yn/MnFEUtiQDGEN?= =?iso-8859-1?Q?XrQxQ+LD1VnMZtUOi5mSL8w1OtBSk5ZQewI5S6HJ/gQ1YEk3CLeXH8DipZ?= =?iso-8859-1?Q?9wG/xfh+3QD1CN4MCRj4mXUnkN37yNFHJE/D8gU8upl0a8/fZy79UvtRvs?= =?iso-8859-1?Q?19XpNc43z2VqcNx1jbMAFWqPteQ/EDuRwLCSzeac8Gd5JNSQAPkysLA0fA?= =?iso-8859-1?Q?6sDo09yeuGfWOWx9g6sJZOSQA+05mDOIPC3wN9IxovEJ/C5cGt4KG3JSCs?= =?iso-8859-1?Q?pHo7vA6k7kkPK/9Eu4VOpO9T7Ny6nxyKgQoOLosf04jqwH7u++PBFGGeta?= =?iso-8859-1?Q?+vPUmoEag6lv+nN+jqA+uSAkAhExdWUAHMEC35VM59X9ZdveM3ZkMLrc9U?= =?iso-8859-1?Q?Ze/i0I5/3cYH3j6smLtM6a0MX5B8Zs6ZTCvRYYIx6zeLi2j1ZB/vcWmdKM?= =?iso-8859-1?Q?YoGiWUCL6E0ShBpPskcEMHQ9wSy7QORhkeAoGtpwC/sbO+OY58n0V2bgQM?= =?iso-8859-1?Q?stvW19H1tK0RB6wnDL5v3hCMamjtt0L/27IeUy6ack0nN9n0HjxAgluRJN?= =?iso-8859-1?Q?x0/aidDMo51pffT8HYSSIVwHSjhl3DSCYOFY7Y+MGeJwBpR5hpVOrIo+6i?= =?iso-8859-1?Q?6evmczjMa80wd5A6Mv2EpPVE+psbd5G8Cbt/5LbqwS7N/1vH0xaXwL3EuP?= =?iso-8859-1?Q?XD50hgM3qNYkYojLZ+xf8Q3MirJ2JWFxks6XIfmLddlDp1W8OcKM4ZyOI2?= =?iso-8859-1?Q?+WSwIv3lMJMKn8heflEZzIclD4StpZcsqjk0bmgizMltBSijaySY69VODN?= =?iso-8859-1?Q?I6MFeBrNTv28LoRcuvLtsLG0dB2q7fsyXgq5gCx8kGejzdMkhfbmy+bWoE?= =?iso-8859-1?Q?d6VOSMyAWLPRtdTeHx1jGqIFD9aI3z9WRCAjbmQ=3D=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 095972DF2F x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(136003)(366004)(376002)(396003)(39830400003)(346002)(189003)(199004)(81166006)(316002)(8676002)(2351001)(66066001)(106356001)(71200400001)(71190400001)(25786009)(76176011)(68736007)(1076003)(14454004)(5660300002)(6916009)(81156014)(3846002)(52116002)(8936002)(99286004)(50226002)(256004)(6116002)(36756003)(6512007)(446003)(11346002)(97736004)(7736002)(486006)(2616005)(186003)(305945005)(6436002)(86362001)(6486002)(5640700003)(105586002)(53936002)(508600001)(2906002)(26005)(386003)(2501003)(476003)(6506007)(102836004);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1843;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: fDN4AB+cDtAuV11/RbPYok+W94r5uUFION2ySBTcGEljc9rUNrIobgcfYVHvGtbOQkHjeco2oBbwPFoWxCXyo5PCZcWsnTSzHcFr5U9saC3q81WVdY2J1SofI+5gA6f2o01QF8kVH5jY9wsdG5p8wMa6GgrtJ+3en8UFo/1UHQqbgr3fXgwsz8z+DQQJLOZkbc9Ej8Pqh+2XRMQZJoswKgQP0+v1kL5ItoUdf5CV7Xsdoe0loFPbcafKkz5LwXdS+RzJgli89kiykzPdKYX3i4NWFwdzQRi7e4Bh9VsgsyPIbNwAe9/Fx7Nrlt+6/KTGlc9Fm4i8X/VflOD48/FXMtXyejWGdckV3B2AIuQHGS9EHyeJBY3ZVbX7Avdg7/haqFuBpWWPgXYX4qky9I7ycCgOPPCtAGkhHYOiNf2QuHs= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: d73702b5-f98a-4971-4fb1-08d69b7a3e67 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 23:37:45.4196 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1843 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org type=3DAVC msg=3Daudit(1550894180.137:3099): avc: denied { search } for = pid=3D11039 comm=3D"freshclam" name=3D"crypto" dev=3D"proc" ino=3D208 scont= ext=3Dsysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:obje= ct_r:sysctl_crypto_t:s0 tclass=3Ddir permissive=3D1 type=3DAVC msg=3Daudit(1550894180.137:3099): avc: denied { read } for pi= d=3D11039 comm=3D"freshclam" name=3D"fips_enabled" dev=3D"proc" ino=3D209 s= context=3Dsysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:= object_r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1550894180.137:3099): avc: denied { open } for pi= d=3D11039 comm=3D"freshclam" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"= proc" ino=3D209 scontext=3Dsysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tco= ntext=3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1 Signed-off-by: Dave Sugar --- policy/modules/services/clamav.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/cl= amav.te index 622453e3..db4e0209 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -202,6 +202,7 @@ stream_connect_pattern(freshclam_t, clamd_var_run_t, cl= amd_var_run_t, clamd_t) read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t) =20 kernel_dontaudit_list_proc(freshclam_t) +kernel_read_crypto_sysctls(freshclam_t) kernel_read_kernel_sysctls(freshclam_t) kernel_read_network_state(freshclam_t) kernel_read_system_state(freshclam_t) --=20 2.20.1