Return-Path: <SRS0=7akK=RO=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED,
	DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,
	SIGNED_OFF_BY,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 61920C43381
	for <selinux-refpolicy@archiver.kernel.org>; Mon, 11 Mar 2019 16:02:35 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 03A2C2084F
	for <selinux-refpolicy@archiver.kernel.org>; Mon, 11 Mar 2019 16:02:35 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="jox+wQoJ"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727062AbfCKQCe (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Mon, 11 Mar 2019 12:02:34 -0400
Received: from mail-eopbgr720092.outbound.protection.outlook.com ([40.107.72.92]:2027
        "EHLO NAM05-CO1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726641AbfCKQCe (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Mon, 11 Mar 2019 12:02:34 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector1-tresys-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=zhohWFWEjLzgwDMY4EZc0K5UG4cmGaCyQt7cWky9Uxs=;
 b=jox+wQoJSyHBuHoypzcgi1QRbe2ZNwxYYsd4ZiaLwWDvS9HgpbfKneml0W55Jr9Tmbd70j+0AGRkB1/HxR4Ns1HnNaP55LpDRevlk6dHztJequ1vlQqVuLoqPRCHD7ysKoh03ibfGU+k+Tz8wu+zIx3kd2Huri6TLfHkU3gAXhA=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1380.namprd15.prod.outlook.com (10.172.151.150) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.1686.18; Mon, 11 Mar 2019 16:02:30 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::ec41:1dc7:5fd4:a07a]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::ec41:1dc7:5fd4:a07a%8]) with mapi id 15.20.1686.021; Mon, 11 Mar 2019
 16:02:30 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] Resolve denial while changing password
Thread-Topic: [PATCH] Resolve denial while changing password
Thread-Index: AQHU2CPUFty4+bJwKUu4S5VFZ7D4kA==
Date:   Mon, 11 Mar 2019 16:02:29 +0000
Message-ID: <20190311160147.17642-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.244.17.66]
x-clientproxiedby: BL0PR02CA0039.namprd02.prod.outlook.com
 (2603:10b6:207:3d::16) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.20.1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3a1cc702-eea6-475c-5d47-08d6a63af67b
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600127)(711020)(4605104)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1380;
x-ms-traffictypediagnostic: BN6PR15MB1380:
x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1380;23:+y711aPL24nxMJKx7KgmOuTYVNYrQIwNUN3raYw?=
 =?iso-8859-1?Q?m2Qzda/GYHDm+4P2x2tQ/1V7wlJrQm1j5S6TSR9EhnFUrE0HcupPUrFeDL?=
 =?iso-8859-1?Q?r18kVOWzMgtuZ76ArT5+oH39Tgk7HKP6W7geDDeGoKOAZfiJJU1xBcIDDi?=
 =?iso-8859-1?Q?LhClG/hT+YBzGq3b8bcfnavE+/Wqey6ig8tm1MbrEo+3aceW6ZrIXFXC81?=
 =?iso-8859-1?Q?XocyAmfEcY1ZU7caX7qaMVf/rJjY13z2hoxk8pGGcYWJGB27+pWcNgScqD?=
 =?iso-8859-1?Q?xCEm3f4wxGYeMHbuQl7hijkMa4NsAWRLQkakD2EeHo7FOQ6NSgg2VfxZAJ?=
 =?iso-8859-1?Q?JZCPwRjArrpltv8bzXcJx3pRlApWZoxg/qhimes0aI1WGGXaUUzZjQjEeS?=
 =?iso-8859-1?Q?+ytn6vlP5rQb33QP8NuIAKPsjxBKeYo1+Se5DsLRO/m8vccO1LXZeqBunx?=
 =?iso-8859-1?Q?qgZu/wFqXlmJ0t1SHAjULDOTZ2/4VAKCYDyktM6oqXjL7DfotovihhYkTB?=
 =?iso-8859-1?Q?IJowoBZaTwd52Xg9xJOApZJwKVUV4+PLxXkqae7rFMYzGteYeYmK9KYDtI?=
 =?iso-8859-1?Q?pzwJVg6H94DCWN+iLKKpyficywbEZcjFG+t1EDO2ae2oWavwfrP2l5uzmZ?=
 =?iso-8859-1?Q?JtfWW8McWFlslGPIqaWao/i3ty8M+IwDphBCbj7sDMJHJ3QDMCnNjld7xP?=
 =?iso-8859-1?Q?5XcY0l4rd15vQ+x9A4eWWtiKfL5LX/wVDHE+LRqvXQ+Vmvl7PKZ+P6JOsa?=
 =?iso-8859-1?Q?27BAzl+CHKAzq2nrkCEZLGC+roi2CTROdIIETziXxcpodzbEwlyG3mRhjr?=
 =?iso-8859-1?Q?wDIABWRGKJeqsXho02usx8vZgzD74dlPafREY0z/gHMdFB4KmmobWNlqk/?=
 =?iso-8859-1?Q?/kkTGMaPmsTOKkTPF0CGd1f6UFiFZ1PMgQ650ZFu1gATnSHYq5B6GsPFdj?=
 =?iso-8859-1?Q?eXYH8Ex9Wp1wldvMc1bRwIXOE+tEjJaLaTqz3RbpfaqyUkqWHBsVkOSMTm?=
 =?iso-8859-1?Q?mdlXQjq0I8uH4FobjBZnBlteeiVj0ZqqPAzDZy/Nll2XF+RadfPZPcFc15?=
 =?iso-8859-1?Q?0OdD7XwBe0G6Z93+mkJgCpQ3s9TAbtcJVYhhs3k4BZi18wnq0qu7xyDpOf?=
 =?iso-8859-1?Q?liJw6AUiGkcxX1S3R2hTQ2x9bQnNGuW4f2yV0U+PcgSa0S6g4Q706keNYP?=
 =?iso-8859-1?Q?LgNa4VwYaPt5o/WI4n2V9zkY2qIiZ8Hlw=3D=3D?=
x-microsoft-antispam-prvs: <BN6PR15MB1380FD718328C94693063E0AB9480@BN6PR15MB1380.namprd15.prod.outlook.com>
x-forefront-prvs: 09730BD177
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(376002)(366004)(346002)(396003)(39830400003)(136003)(199004)(189003)(7736002)(102836004)(106356001)(5660300002)(105586002)(6486002)(81156014)(81166006)(8676002)(186003)(508600001)(6916009)(3846002)(2906002)(36756003)(486006)(5640700003)(6116002)(99286004)(86362001)(52116002)(2501003)(476003)(25786009)(2351001)(71200400001)(6436002)(14454004)(1076003)(71190400001)(6512007)(256004)(50226002)(68736007)(97736004)(316002)(26005)(8936002)(66066001)(2616005)(53936002)(305945005)(386003)(6506007);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1380;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: UOUNxIYRXDc0aCbt+Ng77d3/G33ojOT7RuLXOTgUER1pGSDeCK/N+LqUJDJaQnsO9trd7IPk0R94yCUO39rw5/iwwzZERP2t2zDKnjMsZNm7/vSNvq8pZSRRSlDu7/nBycoqYCgweeQl+gZHh0QExJ0FNSdBmZXmsojOt9yfBqUfMeq9+P2QqBSfCXoTfpL5lGOW3X9nEsZZbAEpCsHfDHVz/AIqPizeymso6/ENhZvUU3YYentjSXSU2QXb7zIcZYP9frgCyCzx+BwOo2Uec3BKddGJhyKu4gumwSTYWU0NostFjN/+ESJbxGIlHoC7m+n4vLT6cGYGWqp9/TDE+5unDtdxlCh/q96f8kJI2hQOhaFnmQ31tO75wTU39W/7bFjDRHsn3yUepTWUDBSZDD61pUYcxRx3HmM1JUf+oBM=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a1cc702-eea6-475c-5d47-08d6a63af67b
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2019 16:02:29.9473
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1380
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging.  This resolves those denials.

type=3DAVC msg=3Daudit(1552222811.419:470): avc:  denied  { search } for  p=
id=3D7739 comm=3D"passwd" name=3D"crypto" dev=3D"proc" ino=3D2253 scontext=
=3Dsysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:s=
ysctl_crypto_t:s0 tclass=3Ddir permissive=3D1
type=3DAVC msg=3Daudit(1552222811.419:470): avc:  denied  { read } for  pid=
=3D7739 comm=3D"passwd" name=3D"fips_enabled" dev=3D"proc" ino=3D2254 scont=
ext=3Dsysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_=
r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1
type=3DAVC msg=3Daudit(1552222811.419:470): avc:  denied  { open } for  pid=
=3D7739 comm=3D"passwd" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"proc"=
 ino=3D2254 scontext=3Dsysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=
=3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1
type=3DAVC msg=3Daudit(1552222811.419:471): avc:  denied  { getattr } for  =
pid=3D7739 comm=3D"passwd" path=3D"/proc/sys/crypto/fips_enabled" dev=3D"pr=
oc" ino=3D2254 scontext=3Dsysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontex=
t=3Dsystem_u:object_r:sysctl_crypto_t:s0 tclass=3Dfile permissive=3D1

type=3DAVC msg=3Daudit(1552222811.431:476): avc:  denied  { sendto } for  p=
id=3D7739 comm=3D"passwd" path=3D"/dev/log" scontext=3Dsysadm_u:sysadm_r:pa=
sswd_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:system_r:kernel_t:s0 tclass=3Duni=
x_dgram_socket permissive=3D1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/user=
manage.te
index b4f8c78c..9d17645f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive };
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
=20
+kernel_dgram_send(passwd_t)
+kernel_read_crypto_sysctls(passwd_t)
 kernel_read_kernel_sysctls(passwd_t)
=20
 # for SSP
--=20
2.20.1