Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 82DC8C43381 for ; Mon, 25 Feb 2019 23:38:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 47FD0218D3 for ; Mon, 25 Feb 2019 23:38:07 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="nAJtIyFI" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726974AbfBYXiH (ORCPT ); Mon, 25 Feb 2019 18:38:07 -0500 Received: from mail-eopbgr790104.outbound.protection.outlook.com ([40.107.79.104]:63568 "EHLO NAM03-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727323AbfBYXiG (ORCPT ); Mon, 25 Feb 2019 18:38:06 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=d1/ETH1erslpmUzETqbZAddjz2YSXZBXxRiRTTxck6A=; b=nAJtIyFIraN5QcEeQtOSgSfJuZY22zs3r/uULvwEyt9pB1KoHIbRo87BkMSTZTdlPW4CyPjQZCu0LrnjPi99R3LaAaCzGVt1kmfc1Ft7Eajbpph5DEA0OgdfvTnNyzlZkrEfMMUqFcX7CW3mu08L8s/ffbDsJCw6B0E4GM4VF6E= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1843.namprd15.prod.outlook.com (10.174.113.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Mon, 25 Feb 2019 23:37:48 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce%3]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019 23:37:48 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Allow AIDE to read kernel sysctl_crypto_t Thread-Topic: [PATCH] Allow AIDE to read kernel sysctl_crypto_t Thread-Index: AQHUzWMcbzw3YhxI802U59NNioD5Gw== Date: Mon, 25 Feb 2019 23:37:47 +0000 Message-ID: <20190225233708.15319-5-dsugar@tresys.com> References: <20190225233708.15319-1-dsugar@tresys.com> In-Reply-To: <20190225233708.15319-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [73.180.141.176] x-clientproxiedby: BN6PR1401CA0006.namprd14.prod.outlook.com (2603:10b6:405:4b::16) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: b88282d3-25f1-4891-c434-08d69b7a3ef9 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1843; x-ms-traffictypediagnostic: BN6PR15MB1843: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1843;23:yAfKOag4krQk2W9KViVsj0n2HtWcmkPKQGOKAfk?= =?iso-8859-1?Q?qrQHYPOM9yXP+h+VE2kPjraOdk3c2Ez2uaSnds4I+0egtmTdy+km7JPnAR?= =?iso-8859-1?Q?q+6e/Iib/5Qx1yKUAlReHyihBiv+c7iiM9AYTrV1IvT3gYbGHNpIyizLsH?= =?iso-8859-1?Q?aa9wmPBN7jmRtAz1Q3x2rUI6KWgDDuTjXtTmBQxMTbBrm2yIjHeM9oKVo+?= =?iso-8859-1?Q?5kfrB4iyG1aHOavmfgGZm2fI4UBIVhuX3nLoz7/o819u6LD5+unMEONqhw?= =?iso-8859-1?Q?jvlz3/PRk5Q8XXTl/zsi2DfnfbG2c5nxj90uvMzY+l5RDmE7A7io1fOr9B?= =?iso-8859-1?Q?iG+frFYs5vTZFX7a8EBooqplWRBvIhkzk3OgUPlRDykkmbncGftYOQ4RSC?= =?iso-8859-1?Q?D1x6aBeZ+p6KZpO/ZmvsuncsIhdmu1/Rm7m0EN0CVj6sr0qu+NbkJ70PtU?= =?iso-8859-1?Q?hz8jZeodrSW83iFYfQsZUL83E+tepzOti1zh4Fo9OFXjfU8i+bcHDVLZio?= =?iso-8859-1?Q?fSGpWbGEyaBYjkAeAYgA3oe7U1cBIWS/esOY7HYFXQPi5S97N7Swe6h3MF?= =?iso-8859-1?Q?G9EiW7dgQPE6cyPsuTgoP4ynHVa4lhTEmC6jDMDNwB1LtZZoxbU2sfI3QC?= =?iso-8859-1?Q?pZldqzEVc/jP+FEohbIre+X9YYv98n+mBvrx6CWRos+W6zCgLdsXa09qWO?= =?iso-8859-1?Q?fXpG+fZqSQk/qVczb92RjxOr79wB9Xkz5Qzys9uUHqQKwhYhOx8QJGT1Gj?= =?iso-8859-1?Q?/tligBWW7dwtgj0dpEoF/46E9oZug6fKBAwBOpgJQp+TkcXy6iRnEkwCde?= =?iso-8859-1?Q?/EoiZAvqMAOTw6TGj2eIgzo0LfqdKEaogFENA/Wrq/BJ4fhDLEg4cktAqt?= =?iso-8859-1?Q?oOnVNoYL0vh1x6IB/1mDxErZKT+fx3FmlNBymNTlh1UehOASrazEXA8vXy?= =?iso-8859-1?Q?vt3zyCuimPUAVm6QupYVflemBvfbQa/mGHir8O+SbM3YCAutkC2i0JrdCc?= =?iso-8859-1?Q?pnIsralgFVbr9tK0IkaCBSQ1Mrd6stOWiEMoFE5OarFixY5kBS7fs5IcKP?= =?iso-8859-1?Q?QTwjY3pYNaaIAgc7FNvwXKah7XAuBOeTCOIJGtl3AZxHzj+qWLV+oKdgFW?= =?iso-8859-1?Q?QH3uHLfEZFjB2/JgE/TSXj2KjLu3aDKGnAkm24fXIw7aBVBb1zrHgK8aaW?= =?iso-8859-1?Q?R6wVIIIj2K7LjccnOcC7/ck9GREwmmRwAOkzQahbQin6P8apKfMIaLGQvF?= =?iso-8859-1?Q?OrTrqKEcgvw2OL3JuQw9jQgNnxwtUfd5TkXpA1Q=3D=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 095972DF2F x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(136003)(366004)(376002)(396003)(39830400003)(346002)(189003)(199004)(81166006)(316002)(8676002)(2351001)(66066001)(106356001)(71200400001)(71190400001)(25786009)(76176011)(68736007)(1076003)(14454004)(5660300002)(6916009)(81156014)(3846002)(52116002)(8936002)(99286004)(50226002)(256004)(6116002)(36756003)(6512007)(446003)(11346002)(97736004)(7736002)(486006)(2616005)(186003)(305945005)(6436002)(86362001)(6486002)(5640700003)(105586002)(53936002)(508600001)(2906002)(26005)(386003)(2501003)(476003)(6506007)(102836004);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1843;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 1zWbU/qj3F/UxraeU/1gIqqOkuavc3ObMEFgVrc7M9gRrFXV85KsZ09dUcDOUv7u+rW5Fs73HM2vZhPBa12Wq00bSYzWGi4WgoZ7zY9dBAOnmRBPWqlDUIRraIWaGsZqj9qal2IYBjUZr0mCxRvRlJH4VHQq6r4ZpYcUVoNqZw6K7lQRkqUmrJ8xjSnYB/ySTARXaDtwgaxIIDHwxtUsHme6zkLxFdRpAkLjPJfd0n0fM5IGpioGEvPxPLOliqdWk77idFHwBhW3c3+ridDwaV5mYeXUHRMTKSFVtcEPhQ19qZRouOpjXkHwNfqYn60d/1f+BQbzKwm1+cxaIlt1nyIB9GreVQ+OQFc+8+aG3XvfoxUHjVr8ncAm+CDUMmT1sDO8Xz4iopTbFl6cmnMPP6D1LaoOqlHP9u9+IBvMNKk= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: b88282d3-25f1-4891-c434-08d69b7a3ef9 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 23:37:46.3804 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1843 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org type=3DAVC msg=3Daudit(1550799594.212:164): avc: denied { search } for p= id=3D7182 comm=3D"aide" name=3D"crypto" dev=3D"proc" ino=3D10257 scontext= =3Dsystem_u:system_r:aide_t:s0 tcontext=3Dsystem_u:object_r:sysctl_crypto_t= :s0 tclass=3Ddir permissive=3D1 type=3DAVC msg=3Daudit(1550799594.212:164): avc: denied { read } for pid= =3D7182 comm=3D"aide" name=3D"fips_enabled" dev=3D"proc" ino=3D10258 sconte= xt=3Dsystem_u:system_r:aide_t:s0 tcontext=3Dsystem_u:object_r:sysctl_crypto= _t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1550799594.212:164): avc: denied { open } for pid= =3D7182 comm=3D"aide" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"proc" i= no=3D10258 scontext=3Dsystem_u:system_r:aide_t:s0 tcontext=3Dsystem_u:objec= t_r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1550799594.213:165): avc: denied { getattr } for = pid=3D7182 comm=3D"aide" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"proc= " ino=3D10258 scontext=3Dsystem_u:system_r:aide_t:s0 tcontext=3Dsystem_u:ob= ject_r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1 Signed-off-by: Dave Sugar --- policy/modules/admin/aide.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te index 6297b60e..f58ba850 100644 --- a/policy/modules/admin/aide.te +++ b/policy/modules/admin/aide.te @@ -36,6 +36,7 @@ files_read_all_files(aide_t) files_read_all_symlinks(aide_t) =20 kernel_dgram_send(aide_t) +kernel_read_crypto_sysctls(aide_t) =20 logging_send_audit_msgs(aide_t) logging_send_syslog_msg(aide_t) --=20 2.20.1