Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3517932ybi; Tue, 2 Jul 2019 09:03:59 -0700 (PDT) X-Google-Smtp-Source: APXvYqzdJwk/x0403kHXuq3HRI8Bmxp9t+c4EkEgOA1ZrIW3fZYP0yoA7P05+i5mrroYaSUQwOUI X-Received: by 2002:a17:902:583:: with SMTP id f3mr35835073plf.137.1562083439352; Tue, 02 Jul 2019 09:03:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562083439; cv=none; d=google.com; s=arc-20160816; b=qnjCZo28h7LwaRePDBZ3DJ4bzeOAvuTEXPaIjWUNbYH8X69ypcMzPTSud52Y543IHi y1wRGn15vhYCFPK6lN2rpNGP29n/iRDCs3TlKGL2mh+iPANgRxRY789stH0nmtLNpV68 xSUHG17RgNH1JnBr011INBpbbQuhj2HpL3BzuiFCPRdC3N1eQ0ljnyerlMb14DDIik/4 ua5AaekqCb0JCHgNLq7ZMX5zB09+Pu4YA7vslPFXP6kdtd4ZWCOdRUJunqaRaRzMgSFH jl9Sb5K4darTX2+a7X8z3RgQMy/1BOOVLu+snojkJrInyuZHCRG+Ajr6MUI46yRb9JMy j5zw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date:dkim-signature; bh=8ozWWt/d9DjySgRxO0NGrGm5C8RJRndxhUokk4viSfE=; b=yw1vt1aamc+cMD88m/Vr2yJsxMPs3YQ3BZ7ispe7tY+pFsqX4X4p6AASUZVghFcJIF VSKVKcvhfhfTpee+/BLOAI5K/lQBd0hh1Sm51T9/PZhR/dpedatzUeyy/sCQCbTUkqZc kuV0TmRHRFoLFnZ0rEW8NB4xb+FzBp5wpEW8LKOWGtGT8Rj+zu5jSZhA1BJLgncV2Rzn UoM2XrAM3Oz24cWYXf+QQIcN4pecYtfAIZWjMJEoWfLpz5gEbGBHcwuaTNaZsBDb7Qpr q4jPVtq28ff2vGIiqUiERDOoA8ZaFGeWj2fdc8bd1sSW+Cs+7PhwKmOlJqqf58w7POhW W19A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qogcvUIs; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m68si15690554pfm.150.2019.07.02.09.03.57; Tue, 02 Jul 2019 09:03:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=qogcvUIs; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725922AbfGBQD5 (ORCPT + 11 others); Tue, 2 Jul 2019 12:03:57 -0400 Received: from mail-ed1-f68.google.com ([209.85.208.68]:39071 "EHLO mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725858AbfGBQD4 (ORCPT ); Tue, 2 Jul 2019 12:03:56 -0400 Received: by mail-ed1-f68.google.com with SMTP id m10so27789871edv.6 for ; Tue, 02 Jul 2019 09:03:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mail-followup-to:references :mime-version:content-disposition:in-reply-to:user-agent; bh=8ozWWt/d9DjySgRxO0NGrGm5C8RJRndxhUokk4viSfE=; b=qogcvUIsiYJ5cpgJODSiWipcbLMnqn2URVXMPEomM/KW1EroqvxEBArdH/fUgcYoaC 5PvtV1C0jzSq0E+f6YmplcPZ0JKMqu0kLuJnPzRh1ABd4YhsA1saJmJP0k6qq++9D28n Gt9jpDZqml5Q43vJ7ngCOoZFrRb9W7jiJgSiuOiOAvEPpgRvzTUjGOj4RBDLNI2GkPMg CG8WRUWecES/Nd6odJK7eTLbhorbtWkw92+y2elsEMYHUpk6UjBOBPLIxAdF/raojB6r UC+l+Wbj3ilTBoi9rRB1tD4uq1mSLpUXmet1MuAKy41i0WuIx26id/mRjdTyf+DEY/9C yNRw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=8ozWWt/d9DjySgRxO0NGrGm5C8RJRndxhUokk4viSfE=; b=hHqFDhjzlAZ2vS24BqmtxHaERbsbWBGSWjVuXr0UcBdnmiItZh2tAF1uPP1kfBt0xY 1t0uO16eyg1HKP3B0P3B3p8a4SGUND3jK/peuzTugnqXF+Qv+hA+5rcy4fQFraDSXtjp aHnsQD6OBvaB4VhsrT6EPVaM2yR8BJqkE0RRnlzzW0aLFCnFOkcYYteqtaFwZVjdNo83 BAmecv3tzU4AeIEqQd3UHOWVNNt+eFrfLMxf9QVWOXGuz1wmL/qbwMsZfun5qpB7rI6U 7e6dZncD97YY1JwIMY+TOJa8KWug/A3zg6t43qffssiX9DBxarOSy3HVCS6wrapF2Z30 sDGQ== X-Gm-Message-State: APjAAAWFwdaf+54LwPxMP8Qp7KEy3WSJpIxGWM1tc0I9cMav5Twy0Pxg g2uxjABtv4hIugfIGwjb264= X-Received: by 2002:a17:906:6802:: with SMTP id k2mr4361209ejr.174.1562083434412; Tue, 02 Jul 2019 09:03:54 -0700 (PDT) Received: from brutus.lan (brutus.defensec.nl. [2001:985:d55d::438]) by smtp.gmail.com with ESMTPSA id y22sm4724490edl.29.2019.07.02.09.03.53 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Tue, 02 Jul 2019 09:03:53 -0700 (PDT) Date: Tue, 2 Jul 2019 18:03:51 +0200 From: Dominick Grift To: "Sugar, David" Cc: "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH 2/5] grant permission for rpm to write to audit log Message-ID: <20190702160351.GB27193@brutus.lan> Mail-Followup-To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190702153014.14097-1-dsugar@tresys.com> <20190702153014.14097-3-dsugar@tresys.com> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="RASg3xLB4tUQ4RcS" Content-Disposition: inline In-Reply-To: <20190702153014.14097-3-dsugar@tresys.com> User-Agent: Every email client sucks, this one just sucks less. X-PGP-Key: https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org --RASg3xLB4tUQ4RcS Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jul 02, 2019 at 03:30:30PM +0000, Sugar, David wrote: > Messages like this are added to the audit log when an rpm is installed: > type=3DSOFTWARE_UPDATE msg=3Daudit(1560913896.581:244): pid=3D1265 uid=3D= 0 auid=3D4294967295 ses=3D4294967295 subj=3Dsystem_u:system_r:rpm_t:s0 msg= =3D'sw=3D"ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=3Drpm key_enforce=3D0 = gpg_res=3D0 root_dir=3D"/" comm=3D"rpm" exe=3D"/usr/bin/rpm" hostname=3D? a= ddr=3D? terminal=3D? res=3Dsuccess' >=20 > These are the denials that I'm seeing: > type=3DAVC msg=3Daudit(1560913896.581:243): avc: denied { audit_write }= for pid=3D1265 comm=3D"rpm" capability=3D29 scontext=3Dsystem_u:system_r:= rpm_t:s0 tcontext=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dcapability permissi= ve=3D1 >=20 > type=3DAVC msg=3Daudit(1561298132.446:240): avc: denied { create } for = pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsy= stem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 > type=3DAVC msg=3Daudit(1561298132.446:241): avc: denied { write } for p= id=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsys= tem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 > type=3DAVC msg=3Daudit(1561298132.446:241): avc: denied { nlmsg_relay }= for pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontex= t=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 > type=3DAVC msg=3Daudit(1561298132.447:243): avc: denied { read } for pi= d=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsyst= em_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 There is an interface for that: logging_send_audit_msgs(rpm_t) >=20 > Signed-off-by: Dave Sugar > --- > policy/modules/admin/rpm.te | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) >=20 > diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te > index 0e6e9c03..a28a24d3 100644 > --- a/policy/modules/admin/rpm.te > +++ b/policy/modules/admin/rpm.te > @@ -73,7 +73,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) > # rpm Local policy > # > =20 > -allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock = mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; > +allow rpm_t self:capability { audit_write chown dac_override fowner fset= id ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config = }; > allow rpm_t self:process { transition signal_perms getsched setsched get= session getpgid setpgid getcap setcap share getattr setexec setfscreate noa= tsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate setso= ckcreate getrlimit }; > allow rpm_t self:fd use; > allow rpm_t self:fifo_file rw_fifo_file_perms; > @@ -87,6 +87,7 @@ allow rpm_t self:msgq create_msgq_perms; > allow rpm_t self:msg { send receive }; > allow rpm_t self:file rw_file_perms; > allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; > +allow rpm_t self:netlink_audit_socket { nlmsg_relay create_socket_perms = }; > =20 > allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setattr= _file_perms }; > logging_log_filetrans(rpm_t, rpm_log_t, file) > --=20 > 2.21.0 >=20 --=20 Key fingerprint =3D 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=3Dget&search=3D0x3B6C5F1D2C7B6B02 Dominick Grift --RASg3xLB4tUQ4RcS Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGzBAEBCAAdFiEEujmXliIBLFTc2Y4AJXSOVTf5R2kFAl0bgGMACgkQJXSOVTf5 R2k+BAv/dudwUGASFZcXKaGuLiLsdp1CufpwFWdvYuj7GedUOEG/Of+1vAL0Lrx2 VTQWfp/wZLl1zCg1Y5MxRBLaRNMsETvXc1c9rWexPIikufMR0TlUmUyw2goHIA+x IPaEbJQiywFXP3p6Owv2ZhWPJ+R6JQhLhJWaZCmG4ckiK+LYM1zNRQvg2dESeWTD Xwv65vYImUmnvtFU6nc8SG5O99syULeYbWf0ekT60o/XHbF61k86ynQAf3BKQfnR nCFpZ5tJKPI11pWiYjGQbVW1kproRFq3vk7/voP+Eu46ezYfFvyDX3BhTL+1X6S+ T1CbFdKkqTrqZXD/fjpM3dp6VP+3fXOFudKR34XqMr8rEIhnJR7Pzn62XCU6jg6W xF1wITBM8g4D29TzsWkotb5fXVg7ccKJnq7I39srajDqu/FWIgB7X+YuXMem8pGh i6eI/Es8Kkb0NznBk6/NCklsqUiXEJ5wlWKieARIPZ/hnOEkOK/ml7+1GJ3VGoUQ UHHkBDO5 =rbta -----END PGP SIGNATURE----- --RASg3xLB4tUQ4RcS--