Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3643841ybi;
        Tue, 2 Jul 2019 11:00:26 -0700 (PDT)
X-Google-Smtp-Source: APXvYqxw/SHlOKnhoMuh+vtK8Sxzwc84rTRteQzEtYuidCwaC2VEuSyTSMJmsmCXjYmffKd3vOzT
X-Received: by 2002:a65:5242:: with SMTP id q2mr17183784pgp.135.1562090426223;
        Tue, 02 Jul 2019 11:00:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1562090426; cv=none;
        d=google.com; s=arc-20160816;
        b=R9IilWgHXX4XBA6LpyCKd+98yIyCa2NqPXain1kcKTBCMVzltWeDpvDugKrAaOSEu0
         eH8C8GP4VoBY5Y+64svIR5C3b3RJJgNLlgClI//faa2kyntciLCjxRPGmWlB5L023r6k
         /0LMEv16HocQ26QUaLOqkZ37cf8Ajf6D0ZZO3WeUtfSh+IB7sxyWrnpVJzGPbV9+5xmk
         y0Z0e2LRRYDNqjjf+pV/ALx6UiYEiNwVu5fRXndDEL7/tiOyzCXHnvrrSpkrOIab25KS
         Xw/BMIBy2FKvkBrseXQA/lJl+HN4bLg0Q9D+nYApT4nCGPd4LGcyYV+gaIjtBWBhUomG
         5Hkw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:content-transfer-encoding
         :content-language:accept-language:message-id:date:thread-index
         :thread-topic:subject:to:from:dkim-signature;
        bh=jw1mr2FgNEAaB0QY6lYIg19NTfy0uMVUsJ2LG/YpHIU=;
        b=L/aduFD0zSatOA9bcziu8mdwE1V0gQdQFGhtYl0g/SUNEnRu53JosmOWnZrABUJKgz
         YvuA8MzGRpiju17mgv5ATJCe1H/n6GLECP6zQ1mC1y7JFFqy3Hsn9HtLLeFf/ZRbOVSC
         yyN9spJnqs9rdTFTWVgtTQnrni96ma5XvkQW9ddHQEWPvC78QgPP5n/upRrFiEp8yZmp
         NNKVIc14HnjJ7acafrafFC9mTu9SNn7BU+nqJ89rq1rgGSJkQ8NSGnsEMNNWSKXd94kh
         EUX7VDB8p6UDGj+0J8CE6nEmbud5U280yZTEPAu1vT1xSzS24fDMV5xFsrh2LlsmpgZt
         IiAA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=ZHySeYcs;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id x24si2645201pjt.88.2019.07.02.11.00.23;
        Tue, 02 Jul 2019 11:00:26 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=ZHySeYcs;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727033AbfGBR7r (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Tue, 2 Jul 2019 13:59:47 -0400
Received: from mail-eopbgr720123.outbound.protection.outlook.com ([40.107.72.123]:65504
        "EHLO NAM05-CO1-obe.outbound.protection.outlook.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726329AbfGBR7q (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 2 Jul 2019 13:59:46 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
 bh=jw1mr2FgNEAaB0QY6lYIg19NTfy0uMVUsJ2LG/YpHIU=;
 b=ZHySeYcsyoKmyRcjTiBAWxiwB+QXvadgHOGU6VmUVIul0LCIZyT+2wHQGc2ODRVpH3pNUXR27KvD7WB1PTSEZG435XzRG1dxlKhbLsrNidbqtnJbJDg9HZtmwnKKhaHKZj8f+Bs8epaDKJD33BJp5o0LEIQPY0Th5yT+g4V1lXE=
Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by
 BN6PR15MB1524.namprd15.prod.outlook.com (10.172.152.15) with Microsoft SMTP
 Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.20.2032.18; Tue, 2 Jul 2019 17:59:43 +0000
Received: from BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::80fc:6403:1abc:cb23]) by BN6PR15MB1507.namprd15.prod.outlook.com
 ([fe80::80fc:6403:1abc:cb23%6]) with mapi id 15.20.2032.019; Tue, 2 Jul 2019
 17:59:43 +0000
From:   "Sugar, David" <dsugar@tresys.com>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH 2/5 - v2] grant permission for rpm to write to audit log
Thread-Topic: [PATCH 2/5 - v2] grant permission for rpm to write to audit log
Thread-Index: AQHVMP/th1qejqhc50Oazicw2hWoKA==
Date:   Tue, 2 Jul 2019 17:59:43 +0000
Message-ID: <20190702175932.24697-1-dsugar@tresys.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-originating-ip: [96.244.17.66]
x-clientproxiedby: BN8PR16CA0026.namprd16.prod.outlook.com
 (2603:10b6:408:4c::39) To BN6PR15MB1507.namprd15.prod.outlook.com
 (2603:10b6:404:c6::19)
authentication-results: spf=none (sender IP is )
 smtp.mailfrom=dsugar@tresys.com; 
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: git-send-email 2.21.0
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: f409ec2e-cc48-4c9f-35d6-08d6ff170f85
x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:BN6PR15MB1524;
x-ms-traffictypediagnostic: BN6PR15MB1524:
x-microsoft-antispam-prvs: <BN6PR15MB15247C34F899041031F9F593B9F80@BN6PR15MB1524.namprd15.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3513;
x-forefront-prvs: 008663486A
x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(376002)(366004)(39830400003)(136003)(396003)(346002)(189003)(199004)(186003)(2351001)(1076003)(5640700003)(7736002)(6486002)(6436002)(8676002)(8936002)(36756003)(14454004)(6512007)(53936002)(305945005)(2501003)(5660300002)(486006)(6116002)(25786009)(2616005)(66066001)(102836004)(71200400001)(2906002)(71190400001)(50226002)(26005)(68736007)(99286004)(6506007)(3846002)(476003)(52116002)(386003)(66476007)(66556008)(256004)(14444005)(66446008)(81156014)(316002)(64756008)(6916009)(73956011)(81166006)(86362001)(66946007)(508600001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1524;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1;
received-spf: None (protection.outlook.com: tresys.com does not designate
 permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 7XwrPAdSmNRMnvTTTwLgPTrdAvefeHh87EY0yaKp5QA0Zg35yErwVGXm7+6HKviOy0hWW9g3uijyMWenRPhrn4SN9s8WAVytyJLmNDKniTRu/LyEIlab39w4SkYcmbnT3GO8cJ627hCBw4IEcxbGXrhP8+J6N+1RFhHx79c2ejLigi/qWh0EOs3p3I3VVUE2n7Cy4j2IBf5PvNzUpG0ZzOb+sG4patO2idWNMisqZ50GIwvxLA9AF6z8kM3b79lpj6lAZ3CAOvP7Z7bCKOsaL86Srto0mHsKWudc96Q93fh+J6cBsjsXcwDarkAcVDCdneH00cGfM1Ycfqb0rC/+HDxjOeXetDOK26TFMLz1DqjFYUhR1eXiP+Mtf1FJpfkwkYxF7xWp4iqcLMu4b6on+1gOkvG6l4YfHrLYxfp2sb4=
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: tresys.com
X-MS-Exchange-CrossTenant-Network-Message-Id: f409ec2e-cc48-4c9f-35d6-08d6ff170f85
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 17:59:43.3886
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1524
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Messages like this are added to the audit log when an rpm is installed:
type=3DSOFTWARE_UPDATE msg=3Daudit(1560913896.581:244): pid=3D1265 uid=3D0 =
auid=3D4294967295 ses=3D4294967295 subj=3Dsystem_u:system_r:rpm_t:s0 msg=3D=
'sw=3D"ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=3Drpm key_enforce=3D0 gpg=
_res=3D0 root_dir=3D"/" comm=3D"rpm" exe=3D"/usr/bin/rpm" hostname=3D? addr=
=3D?  terminal=3D? res=3Dsuccess'

These are the denials that I'm seeing:
type=3DAVC msg=3Daudit(1560913896.581:243): avc:  denied  { audit_write } f=
or  pid=3D1265 comm=3D"rpm" capability=3D29 scontext=3Dsystem_u:system_r:rp=
m_t:s0 tcontext=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dcapability permissive=
=3D1

type=3DAVC msg=3Daudit(1561298132.446:240): avc:  denied  { create } for pi=
d=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsyst=
em_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1
type=3DAVC msg=3Daudit(1561298132.446:241): avc:  denied  { write } for pid=
=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsyste=
m_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1
type=3DAVC msg=3Daudit(1561298132.446:241): avc:  denied  { nlmsg_relay } f=
or  pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=
=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1
type=3DAVC msg=3Daudit(1561298132.447:243): avc:  denied  { read } for pid=
=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsyste=
m_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1

v2 - Use interface rather than adding permissions here - this change may
confuse subsequent patches in this set, if so let me know and I will
submit a pull request on github.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/rpm.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te
index 0e6e9c03..ba022247 100644
--- a/policy/modules/admin/rpm.te
+++ b/policy/modules/admin/rpm.te
@@ -204,6 +204,7 @@ libs_exec_ld_so(rpm_t)
 libs_exec_lib_files(rpm_t)
 libs_run_ldconfig(rpm_t, rpm_roles)
=20
+logging_send_audit_msgs(rpm_t)
 logging_send_syslog_msg(rpm_t)
=20
 seutil_manage_src_policy(rpm_t)
--=20
2.21.0