Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3625036ybi; Tue, 2 Jul 2019 10:40:44 -0700 (PDT) X-Google-Smtp-Source: APXvYqwomjW0l5v+/Iz0hqoIQlqipEsIHxfQDM0ZMnAKx9k7ZWUDvMzCJqN/akiCmtv7mfZ6wZ8E X-Received: by 2002:a63:4103:: with SMTP id o3mr31855258pga.385.1562089244722; Tue, 02 Jul 2019 10:40:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562089244; cv=none; d=google.com; s=arc-20160816; b=tsnJBc29+3dlYmeyT3zBINjgwOdGDFm/EY22ypFozXwD0XRgYD4a72mUOTeeW59tA+ Ohov+qkgSzggsALJcjXQOy0Zb5hu8V87ckHoAiUNMZZ23+1Epw/HPTOJIN2oeDDwfpJW 2vePSoXrFZgY/7lpOvcGa1G802DjcJpOxAonREvbCI564uhv/yW4GULQBGJvP/Pv8jay 4UHmOIRG6/k7z7k09tQsGRKdq0HB8x+oZENnEDXvVMTLzIxl2nc9FmzqBtyEHNk9dtQd 9S75IBcvw2Fy6kzHkHxWhyiNfgUc3D1KEYuJ+GGvfqeawQP/ri+3UITubdzf/bokgCcg 3kgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-id:user-agent:content-language:accept-language:in-reply-to :references:message-id:date:thread-index:thread-topic:subject:to :from:dkim-signature; bh=yqDM9u+A3h5pSnDnOxXvM6qswfmT1dHv1lgzb3t2VqI=; b=PeEXtiuPwLrUivdXxxPFg1YMWTuWkjW+hBtuODIkN1gLAvrEa3UeoKTeoRoH643X33 VLRj9YkHRXQuuxPQw1rFK8lsK+byQ6+ymOVf5Z5FsQYj4L3kpFIHug/52qjFPzd9ElWp dV84j1nhd5N5L6mshcfRUPSpgpYbd0Xll20VwtYsR2mngYbgTS02ZISHsECHb/Gjdp/E bFKylMtaof7IUwnfIwiT9MWVpC9xB4lXtGpKDSkOhUavqkNUJDiYF9RqCqk3CisA5djl L40ryf0E4ZuDYB3NjuEW/rH2Lvm5raxMP7DiNeIdGa4sAyGSrAgWV15Kjnx9AwBCzRU6 ZSDw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=T91ruxgS; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j9si13245949pgf.439.2019.07.02.10.40.41; Tue, 02 Jul 2019 10:40:44 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=T91ruxgS; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726529AbfGBRkW (ORCPT + 11 others); Tue, 2 Jul 2019 13:40:22 -0400 Received: from mail-eopbgr770121.outbound.protection.outlook.com ([40.107.77.121]:45989 "EHLO NAM02-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725996AbfGBRkW (ORCPT ); Tue, 2 Jul 2019 13:40:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=yqDM9u+A3h5pSnDnOxXvM6qswfmT1dHv1lgzb3t2VqI=; b=T91ruxgSJgPqhYtj44Wd+oLXXlvrVWhFiAdCRkRQQzUIJCcsVWbfyi7x2d7k6vH24Jsp5NoM8mTLWhrC0w6jJsKO/PIDTZ919dmbWGH3ucHFhCPxjtmXthT/Q+p3uHcEkWktqo/V2VZLymnJbdq/wk4wCusvpFA0z4sOcrqcXqw= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1409.namprd15.prod.outlook.com (10.172.150.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.20; Tue, 2 Jul 2019 17:40:19 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::80fc:6403:1abc:cb23]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::80fc:6403:1abc:cb23%6]) with mapi id 15.20.2032.019; Tue, 2 Jul 2019 17:40:19 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH 2/5] grant permission for rpm to write to audit log Thread-Topic: [PATCH 2/5] grant permission for rpm to write to audit log Thread-Index: AQHVMOsUpLfILmfTT0qWwWclCs8RAKa3faSAgAAa8wA= Date: Tue, 2 Jul 2019 17:40:19 +0000 Message-ID: References: <20190702153014.14097-1-dsugar@tresys.com> <20190702153014.14097-3-dsugar@tresys.com> <20190702160351.GB27193@brutus.lan> In-Reply-To: <20190702160351.GB27193@brutus.lan> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 x-clientproxiedby: MN2PR20CA0016.namprd20.prod.outlook.com (2603:10b6:208:e8::29) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: d1ffe5a9-0d86-424a-ba77-08d6ff1459e5 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:BN6PR15MB1409; x-ms-traffictypediagnostic: BN6PR15MB1409: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:2201; x-forefront-prvs: 008663486A x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(346002)(376002)(396003)(39830400003)(366004)(136003)(189003)(199004)(508600001)(256004)(14444005)(6486002)(6116002)(99286004)(305945005)(5640700003)(6916009)(186003)(81166006)(6246003)(64126003)(6436002)(7736002)(8936002)(76176011)(2501003)(2351001)(65826007)(52116002)(8676002)(36756003)(53936002)(3846002)(71190400001)(81156014)(71200400001)(486006)(14454004)(6506007)(316002)(86362001)(446003)(11346002)(229853002)(31696002)(64756008)(58126008)(25786009)(73956011)(6512007)(66946007)(66556008)(66476007)(66066001)(65956001)(66446008)(2906002)(2616005)(386003)(65806001)(26005)(68736007)(5660300002)(102836004)(476003)(31686004)(53546011);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1409;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: ffUkLU04CzIq0JvJvsZLy5F6L1na7X2VegeP9ts77BIoP+qEoysLR39YUxzQU2eOihNuiMSGhBHq39k5NV98wJCuQNeeGLb8CHjMSG97LXaVsUcSVeJOAnM1GG5yU8I3KCkQCKRXIfPtU25XYf9QrObuFJkzdN2nhh/S35oRXXSxRe5+TRJSPzbFJpwlMBtQ500h/5jYYBj/OxfDu5sTza15a4vCRfapsWv7mijfRWtYgmYP2LSKQjixlNNsC5AxVVB90gXl3gEt3CAKBuxO9czpi1g8kgdhdwwwzePgKl4upGmUHxPBXLpRxCvKFFhnsZ/y4UBMlvXfgk5n8bPVWV4hkbce5Bu1kY78SfDfbPjEO7cNyITE+fMpOaIP349mrxnUwo8Bwdpy43TJ8OJJlxm2uRUvlr9dGoOV02JLae4= Content-Type: text/plain; charset="Windows-1252" Content-ID: <6900BA68EB8C2A438AEDECC666980EE1@namprd15.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: d1ffe5a9-0d86-424a-ba77-08d6ff1459e5 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 17:40:19.5913 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1409 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 7/2/19 12:03 PM, Dominick Grift wrote: > On Tue, Jul 02, 2019 at 03:30:30PM +0000, Sugar, David wrote: >> Messages like this are added to the audit log when an rpm is installed: >> type=3DSOFTWARE_UPDATE msg=3Daudit(1560913896.581:244): pid=3D1265 uid= =3D0 auid=3D4294967295 ses=3D4294967295 subj=3Dsystem_u:system_r:rpm_t:s0 m= sg=3D'sw=3D"ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=3Drpm key_enforce=3D= 0 gpg_res=3D0 root_dir=3D"/" comm=3D"rpm" exe=3D"/usr/bin/rpm" hostname=3D?= addr=3D? terminal=3D? res=3Dsuccess' >> >> These are the denials that I'm seeing: >> type=3DAVC msg=3Daudit(1560913896.581:243): avc: denied { audit_write = } for pid=3D1265 comm=3D"rpm" capability=3D29 scontext=3Dsystem_u:system_r= :rpm_t:s0 tcontext=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dcapability permiss= ive=3D1 >> >> type=3DAVC msg=3Daudit(1561298132.446:240): avc: denied { create } for= pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Ds= ystem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 >> type=3DAVC msg=3Daudit(1561298132.446:241): avc: denied { write } for = pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsy= stem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 >> type=3DAVC msg=3Daudit(1561298132.446:241): avc: denied { nlmsg_relay = } for pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tconte= xt=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D= 1 >> type=3DAVC msg=3Daudit(1561298132.447:243): avc: denied { read } for p= id=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsys= tem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 >=20 > There is an interface for that: logging_send_audit_msgs(rpm_t) >=20 Good call, I missed that. I will submit an updated patch shortly. >> >> Signed-off-by: Dave Sugar >> --- >> policy/modules/admin/rpm.te | 3 ++- >> 1 file changed, 2 insertions(+), 1 deletion(-) >> >> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te >> index 0e6e9c03..a28a24d3 100644 >> --- a/policy/modules/admin/rpm.te >> +++ b/policy/modules/admin/rpm.te >> @@ -73,7 +73,7 @@ files_tmpfs_file(rpm_script_tmpfs_t) >> # rpm Local policy >> # >> =20 >> -allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock= mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config }; >> +allow rpm_t self:capability { audit_write chown dac_override fowner fse= tid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config= }; >> allow rpm_t self:process { transition signal_perms getsched setsched g= etsession getpgid setpgid getcap setcap share getattr setexec setfscreate n= oatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate set= sockcreate getrlimit }; >> allow rpm_t self:fd use; >> allow rpm_t self:fifo_file rw_fifo_file_perms; >> @@ -87,6 +87,7 @@ allow rpm_t self:msgq create_msgq_perms; >> allow rpm_t self:msg { send receive }; >> allow rpm_t self:file rw_file_perms; >> allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms; >> +allow rpm_t self:netlink_audit_socket { nlmsg_relay create_socket_perms= }; >> =20 >> allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setat= tr_file_perms }; >> logging_log_filetrans(rpm_t, rpm_log_t, file) >> --=20 >> 2.21.0 >> >=20