Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH 2/5] grant permission for rpm to write to audit log
Thread-Topic: [PATCH 2/5] grant permission for rpm to write to audit log
Thread-Index: AQHVMOsUpLfILmfTT0qWwWclCs8RAKa3faSAgAAa8wA=
Date:   Tue, 2 Jul 2019 17:40:19 +0000
Message-ID: <e65c16bd-2ec2-9bd9-8bd7-799c1dbfea94@tresys.com>
References: <20190702153014.14097-1-dsugar@tresys.com>
 <20190702153014.14097-3-dsugar@tresys.com>
 <20190702160351.GB27193@brutus.lan>
In-Reply-To: <20190702160351.GB27193@brutus.lan>
Accept-Language: en-US
Content-Language: en-US
user-agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.7.2
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d1ffe5a9-0d86-424a-ba77-08d6ff1459e5
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:BN6PR15MB1409;
x-ms-traffictypediagnostic: BN6PR15MB1409:
x-microsoft-antispam-prvs: <BN6PR15MB1409ED6E642AD216A2BF4170B9F80@BN6PR15MB1409.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2201;
x-forefront-prvs: 008663486A
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(346002)(376002)(396003)(39830400003)(366004)(136003)(189003)(199004)(508600001)(256004)(14444005)(6486002)(6116002)(99286004)(305945005)(5640700003)(6916009)(186003)(81166006)(6246003)(64126003)(6436002)(7736002)(8936002)(76176011)(2501003)(2351001)(65826007)(52116002)(8676002)(36756003)(53936002)(3846002)(71190400001)(81156014)(71200400001)(486006)(14454004)(6506007)(316002)(86362001)(446003)(11346002)(229853002)(31696002)(64756008)(58126008)(25786009)(73956011)(6512007)(66946007)(66556008)(66476007)(66066001)(65956001)(66446008)(2906002)(2616005)(386003)(65806001)(26005)(68736007)(5660300002)(102836004)(476003)(31686004)(53546011);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1409;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: ffUkLU04CzIq0JvJvsZLy5F6L1na7X2VegeP9ts77BIoP+qEoysLR39YUxzQU2eOihNuiMSGhBHq39k5NV98wJCuQNeeGLb8CHjMSG97LXaVsUcSVeJOAnM1GG5yU8I3KCkQCKRXIfPtU25XYf9QrObuFJkzdN2nhh/S35oRXXSxRe5+TRJSPzbFJpwlMBtQ500h/5jYYBj/OxfDu5sTza15a4vCRfapsWv7mijfRWtYgmYP2LSKQjixlNNsC5AxVVB90gXl3gEt3CAKBuxO9czpi1g8kgdhdwwwzePgKl4upGmUHxPBXLpRxCvKFFhnsZ/y4UBMlvXfgk5n8bPVWV4hkbce5Bu1kY78SfDfbPjEO7cNyITE+fMpOaIP349mrxnUwo8Bwdpy43TJ8OJJlxm2uRUvlr9dGoOV02JLae4=
Content-Type: text/plain; charset="Windows-1252"
Content-ID: <6900BA68EB8C2A438AEDECC666980EE1@namprd15.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d1ffe5a9-0d86-424a-ba77-08d6ff1459e5
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 17:40:19.5913
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1409
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org


On 7/2/19 12:03 PM, Dominick Grift wrote:
> On Tue, Jul 02, 2019 at 03:30:30PM +0000, Sugar, David wrote:
>> Messages like this are added to the audit log when an rpm is installed:
>> type=3DSOFTWARE_UPDATE msg=3Daudit(1560913896.581:244): pid=3D1265 uid=
=3D0 auid=3D4294967295 ses=3D4294967295 subj=3Dsystem_u:system_r:rpm_t:s0 m=
sg=3D'sw=3D"ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=3Drpm key_enforce=3D=
0 gpg_res=3D0 root_dir=3D"/" comm=3D"rpm" exe=3D"/usr/bin/rpm" hostname=3D?=
 addr=3D?  terminal=3D? res=3Dsuccess'
>>
>> These are the denials that I'm seeing:
>> type=3DAVC msg=3Daudit(1560913896.581:243): avc:  denied  { audit_write =
} for  pid=3D1265 comm=3D"rpm" capability=3D29 scontext=3Dsystem_u:system_r=
:rpm_t:s0 tcontext=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dcapability permiss=
ive=3D1
>>
>> type=3DAVC msg=3Daudit(1561298132.446:240): avc:  denied  { create } for=
 pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Ds=
ystem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1
>> type=3DAVC msg=3Daudit(1561298132.446:241): avc:  denied  { write } for =
pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsy=
stem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1
>> type=3DAVC msg=3Daudit(1561298132.446:241): avc:  denied  { nlmsg_relay =
} for  pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tconte=
xt=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D=
1
>> type=3DAVC msg=3Daudit(1561298132.447:243): avc:  denied  { read } for p=
id=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsys=
tem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1
>=20
> There is an interface for that: logging_send_audit_msgs(rpm_t)
>=20

Good call, I missed that.  I will submit an updated patch shortly.

>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/admin/rpm.te | 3 ++-
>>   1 file changed, 2 insertions(+), 1 deletion(-)
>>
>> diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
>> index 0e6e9c03..a28a24d3 100644
>> --- a/policy/modules/admin/rpm.te
>> +++ b/policy/modules/admin/rpm.te
>> @@ -73,7 +73,7 @@ files_tmpfs_file(rpm_script_tmpfs_t)
>>   # rpm Local policy
>>   #
>>  =20
>> -allow rpm_t self:capability { chown dac_override fowner fsetid ipc_lock=
 mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config };
>> +allow rpm_t self:capability { audit_write chown dac_override fowner fse=
tid ipc_lock mknod setfcap setgid setuid sys_chroot sys_nice sys_tty_config=
 };
>>   allow rpm_t self:process { transition signal_perms getsched setsched g=
etsession getpgid setpgid getcap setcap share getattr setexec setfscreate n=
oatsecure siginh setrlimit rlimitinh dyntransition execmem setkeycreate set=
sockcreate getrlimit };
>>   allow rpm_t self:fd use;
>>   allow rpm_t self:fifo_file rw_fifo_file_perms;
>> @@ -87,6 +87,7 @@ allow rpm_t self:msgq create_msgq_perms;
>>   allow rpm_t self:msg { send receive };
>>   allow rpm_t self:file rw_file_perms;
>>   allow rpm_t self:netlink_kobject_uevent_socket create_socket_perms;
>> +allow rpm_t self:netlink_audit_socket { nlmsg_relay create_socket_perms=
 };
>>  =20
>>   allow rpm_t rpm_log_t:file { append_file_perms create_file_perms setat=
tr_file_perms };
>>   logging_log_filetrans(rpm_t, rpm_log_t, file)
>> --=20
>> 2.21.0
>>
>=20