Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 61920C43381 for ; Mon, 11 Mar 2019 16:02:35 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 03A2C2084F for ; Mon, 11 Mar 2019 16:02:35 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="jox+wQoJ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727062AbfCKQCe (ORCPT ); Mon, 11 Mar 2019 12:02:34 -0400 Received: from mail-eopbgr720092.outbound.protection.outlook.com ([40.107.72.92]:2027 "EHLO NAM05-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726641AbfCKQCe (ORCPT ); Mon, 11 Mar 2019 12:02:34 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zhohWFWEjLzgwDMY4EZc0K5UG4cmGaCyQt7cWky9Uxs=; b=jox+wQoJSyHBuHoypzcgi1QRbe2ZNwxYYsd4ZiaLwWDvS9HgpbfKneml0W55Jr9Tmbd70j+0AGRkB1/HxR4Ns1HnNaP55LpDRevlk6dHztJequ1vlQqVuLoqPRCHD7ysKoh03ibfGU+k+Tz8wu+zIx3kd2Huri6TLfHkU3gAXhA= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1380.namprd15.prod.outlook.com (10.172.151.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1686.18; Mon, 11 Mar 2019 16:02:30 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::ec41:1dc7:5fd4:a07a%8]) with mapi id 15.20.1686.021; Mon, 11 Mar 2019 16:02:30 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] Resolve denial while changing password Thread-Topic: [PATCH] Resolve denial while changing password Thread-Index: AQHU2CPUFty4+bJwKUu4S5VFZ7D4kA== Date: Mon, 11 Mar 2019 16:02:29 +0000 Message-ID: <20190311160147.17642-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BL0PR02CA0039.namprd02.prod.outlook.com (2603:10b6:207:3d::16) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 3a1cc702-eea6-475c-5d47-08d6a63af67b x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1380; x-ms-traffictypediagnostic: BN6PR15MB1380: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1380;23:+y711aPL24nxMJKx7KgmOuTYVNYrQIwNUN3raYw?= =?iso-8859-1?Q?m2Qzda/GYHDm+4P2x2tQ/1V7wlJrQm1j5S6TSR9EhnFUrE0HcupPUrFeDL?= =?iso-8859-1?Q?r18kVOWzMgtuZ76ArT5+oH39Tgk7HKP6W7geDDeGoKOAZfiJJU1xBcIDDi?= =?iso-8859-1?Q?LhClG/hT+YBzGq3b8bcfnavE+/Wqey6ig8tm1MbrEo+3aceW6ZrIXFXC81?= =?iso-8859-1?Q?XocyAmfEcY1ZU7caX7qaMVf/rJjY13z2hoxk8pGGcYWJGB27+pWcNgScqD?= =?iso-8859-1?Q?xCEm3f4wxGYeMHbuQl7hijkMa4NsAWRLQkakD2EeHo7FOQ6NSgg2VfxZAJ?= =?iso-8859-1?Q?JZCPwRjArrpltv8bzXcJx3pRlApWZoxg/qhimes0aI1WGGXaUUzZjQjEeS?= =?iso-8859-1?Q?+ytn6vlP5rQb33QP8NuIAKPsjxBKeYo1+Se5DsLRO/m8vccO1LXZeqBunx?= =?iso-8859-1?Q?qgZu/wFqXlmJ0t1SHAjULDOTZ2/4VAKCYDyktM6oqXjL7DfotovihhYkTB?= =?iso-8859-1?Q?IJowoBZaTwd52Xg9xJOApZJwKVUV4+PLxXkqae7rFMYzGteYeYmK9KYDtI?= =?iso-8859-1?Q?pzwJVg6H94DCWN+iLKKpyficywbEZcjFG+t1EDO2ae2oWavwfrP2l5uzmZ?= =?iso-8859-1?Q?JtfWW8McWFlslGPIqaWao/i3ty8M+IwDphBCbj7sDMJHJ3QDMCnNjld7xP?= =?iso-8859-1?Q?5XcY0l4rd15vQ+x9A4eWWtiKfL5LX/wVDHE+LRqvXQ+Vmvl7PKZ+P6JOsa?= =?iso-8859-1?Q?27BAzl+CHKAzq2nrkCEZLGC+roi2CTROdIIETziXxcpodzbEwlyG3mRhjr?= =?iso-8859-1?Q?wDIABWRGKJeqsXho02usx8vZgzD74dlPafREY0z/gHMdFB4KmmobWNlqk/?= =?iso-8859-1?Q?/kkTGMaPmsTOKkTPF0CGd1f6UFiFZ1PMgQ650ZFu1gATnSHYq5B6GsPFdj?= =?iso-8859-1?Q?eXYH8Ex9Wp1wldvMc1bRwIXOE+tEjJaLaTqz3RbpfaqyUkqWHBsVkOSMTm?= =?iso-8859-1?Q?mdlXQjq0I8uH4FobjBZnBlteeiVj0ZqqPAzDZy/Nll2XF+RadfPZPcFc15?= =?iso-8859-1?Q?0OdD7XwBe0G6Z93+mkJgCpQ3s9TAbtcJVYhhs3k4BZi18wnq0qu7xyDpOf?= =?iso-8859-1?Q?liJw6AUiGkcxX1S3R2hTQ2x9bQnNGuW4f2yV0U+PcgSa0S6g4Q706keNYP?= =?iso-8859-1?Q?LgNa4VwYaPt5o/WI4n2V9zkY2qIiZ8Hlw=3D=3D?= x-microsoft-antispam-prvs: x-forefront-prvs: 09730BD177 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(376002)(366004)(346002)(396003)(39830400003)(136003)(199004)(189003)(7736002)(102836004)(106356001)(5660300002)(105586002)(6486002)(81156014)(81166006)(8676002)(186003)(508600001)(6916009)(3846002)(2906002)(36756003)(486006)(5640700003)(6116002)(99286004)(86362001)(52116002)(2501003)(476003)(25786009)(2351001)(71200400001)(6436002)(14454004)(1076003)(71190400001)(6512007)(256004)(50226002)(68736007)(97736004)(316002)(26005)(8936002)(66066001)(2616005)(53936002)(305945005)(386003)(6506007);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1380;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: UOUNxIYRXDc0aCbt+Ng77d3/G33ojOT7RuLXOTgUER1pGSDeCK/N+LqUJDJaQnsO9trd7IPk0R94yCUO39rw5/iwwzZERP2t2zDKnjMsZNm7/vSNvq8pZSRRSlDu7/nBycoqYCgweeQl+gZHh0QExJ0FNSdBmZXmsojOt9yfBqUfMeq9+P2QqBSfCXoTfpL5lGOW3X9nEsZZbAEpCsHfDHVz/AIqPizeymso6/ENhZvUU3YYentjSXSU2QXb7zIcZYP9frgCyCzx+BwOo2Uec3BKddGJhyKu4gumwSTYWU0NostFjN/+ESJbxGIlHoC7m+n4vLT6cGYGWqp9/TDE+5unDtdxlCh/q96f8kJI2hQOhaFnmQ31tO75wTU39W/7bFjDRHsn3yUepTWUDBSZDD61pUYcxRx3HmM1JUf+oBM= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: 3a1cc702-eea6-475c-5d47-08d6a63af67b X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2019 16:02:29.9473 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1380 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I'm seeing the following denials reading /proc/sys/crypto/fips_enabled and sending message for logging. This resolves those denials. type=3DAVC msg=3Daudit(1552222811.419:470): avc: denied { search } for p= id=3D7739 comm=3D"passwd" name=3D"crypto" dev=3D"proc" ino=3D2253 scontext= =3Dsysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:s= ysctl_crypto_t:s0 tclass=3Ddir permissive=3D1 type=3DAVC msg=3Daudit(1552222811.419:470): avc: denied { read } for pid= =3D7739 comm=3D"passwd" name=3D"fips_enabled" dev=3D"proc" ino=3D2254 scont= ext=3Dsysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_= r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1552222811.419:470): avc: denied { open } for pid= =3D7739 comm=3D"passwd" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"proc"= ino=3D2254 scontext=3Dsysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext= =3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1552222811.419:471): avc: denied { getattr } for = pid=3D7739 comm=3D"passwd" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"pr= oc" ino=3D2254 scontext=3Dsysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontex= t=3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1 type=3DAVC msg=3Daudit(1552222811.431:476): avc: denied { sendto } for p= id=3D7739 comm=3D"passwd" path=3D"/dev/log" scontext=3Dsysadm_u:sysadm_r:pa= sswd_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Duni= x_dgram_socket permissive=3D1 Signed-off-by: Dave Sugar --- policy/modules/admin/usermanage.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/user= manage.te index b4f8c78c..9d17645f 100644 --- a/policy/modules/admin/usermanage.te +++ b/policy/modules/admin/usermanage.te @@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive }; allow passwd_t crack_db_t:dir list_dir_perms; read_files_pattern(passwd_t, crack_db_t, crack_db_t) =20 +kernel_dgram_send(passwd_t) +kernel_read_crypto_sysctls(passwd_t) kernel_read_kernel_sysctls(passwd_t) =20 # for SSP --=20 2.20.1