Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3643841ybi; Tue, 2 Jul 2019 11:00:26 -0700 (PDT) X-Google-Smtp-Source: APXvYqxw/SHlOKnhoMuh+vtK8Sxzwc84rTRteQzEtYuidCwaC2VEuSyTSMJmsmCXjYmffKd3vOzT X-Received: by 2002:a65:5242:: with SMTP id q2mr17183784pgp.135.1562090426223; Tue, 02 Jul 2019 11:00:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562090426; cv=none; d=google.com; s=arc-20160816; b=R9IilWgHXX4XBA6LpyCKd+98yIyCa2NqPXain1kcKTBCMVzltWeDpvDugKrAaOSEu0 eH8C8GP4VoBY5Y+64svIR5C3b3RJJgNLlgClI//faa2kyntciLCjxRPGmWlB5L023r6k /0LMEv16HocQ26QUaLOqkZ37cf8Ajf6D0ZZO3WeUtfSh+IB7sxyWrnpVJzGPbV9+5xmk y0Z0e2LRRYDNqjjf+pV/ALx6UiYEiNwVu5fRXndDEL7/tiOyzCXHnvrrSpkrOIab25KS Xw/BMIBy2FKvkBrseXQA/lJl+HN4bLg0Q9D+nYApT4nCGPd4LGcyYV+gaIjtBWBhUomG 5Hkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :content-language:accept-language:message-id:date:thread-index :thread-topic:subject:to:from:dkim-signature; bh=jw1mr2FgNEAaB0QY6lYIg19NTfy0uMVUsJ2LG/YpHIU=; b=L/aduFD0zSatOA9bcziu8mdwE1V0gQdQFGhtYl0g/SUNEnRu53JosmOWnZrABUJKgz YvuA8MzGRpiju17mgv5ATJCe1H/n6GLECP6zQ1mC1y7JFFqy3Hsn9HtLLeFf/ZRbOVSC yyN9spJnqs9rdTFTWVgtTQnrni96ma5XvkQW9ddHQEWPvC78QgPP5n/upRrFiEp8yZmp NNKVIc14HnjJ7acafrafFC9mTu9SNn7BU+nqJ89rq1rgGSJkQ8NSGnsEMNNWSKXd94kh EUX7VDB8p6UDGj+0J8CE6nEmbud5U280yZTEPAu1vT1xSzS24fDMV5xFsrh2LlsmpgZt IiAA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=ZHySeYcs; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x24si2645201pjt.88.2019.07.02.11.00.23; Tue, 02 Jul 2019 11:00:26 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tresys.onmicrosoft.com header.s=selector2-tresys-onmicrosoft-com header.b=ZHySeYcs; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727033AbfGBR7r (ORCPT + 11 others); Tue, 2 Jul 2019 13:59:47 -0400 Received: from mail-eopbgr720123.outbound.protection.outlook.com ([40.107.72.123]:65504 "EHLO NAM05-CO1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726329AbfGBR7q (ORCPT ); Tue, 2 Jul 2019 13:59:46 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector2-tresys-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=jw1mr2FgNEAaB0QY6lYIg19NTfy0uMVUsJ2LG/YpHIU=; b=ZHySeYcsyoKmyRcjTiBAWxiwB+QXvadgHOGU6VmUVIul0LCIZyT+2wHQGc2ODRVpH3pNUXR27KvD7WB1PTSEZG435XzRG1dxlKhbLsrNidbqtnJbJDg9HZtmwnKKhaHKZj8f+Bs8epaDKJD33BJp5o0LEIQPY0Th5yT+g4V1lXE= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1524.namprd15.prod.outlook.com (10.172.152.15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2032.18; Tue, 2 Jul 2019 17:59:43 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::80fc:6403:1abc:cb23]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::80fc:6403:1abc:cb23%6]) with mapi id 15.20.2032.019; Tue, 2 Jul 2019 17:59:43 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH 2/5 - v2] grant permission for rpm to write to audit log Thread-Topic: [PATCH 2/5 - v2] grant permission for rpm to write to audit log Thread-Index: AQHVMP/th1qejqhc50Oazicw2hWoKA== Date: Tue, 2 Jul 2019 17:59:43 +0000 Message-ID: <20190702175932.24697-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [96.244.17.66] x-clientproxiedby: BN8PR16CA0026.namprd16.prod.outlook.com (2603:10b6:408:4c::39) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.21.0 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: f409ec2e-cc48-4c9f-35d6-08d6ff170f85 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020);SRVR:BN6PR15MB1524; x-ms-traffictypediagnostic: BN6PR15MB1524: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:3513; x-forefront-prvs: 008663486A x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(4636009)(376002)(366004)(39830400003)(136003)(396003)(346002)(189003)(199004)(186003)(2351001)(1076003)(5640700003)(7736002)(6486002)(6436002)(8676002)(8936002)(36756003)(14454004)(6512007)(53936002)(305945005)(2501003)(5660300002)(486006)(6116002)(25786009)(2616005)(66066001)(102836004)(71200400001)(2906002)(71190400001)(50226002)(26005)(68736007)(99286004)(6506007)(3846002)(476003)(52116002)(386003)(66476007)(66556008)(256004)(14444005)(66446008)(81156014)(316002)(64756008)(6916009)(73956011)(81166006)(86362001)(66946007)(508600001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1524;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: 7XwrPAdSmNRMnvTTTwLgPTrdAvefeHh87EY0yaKp5QA0Zg35yErwVGXm7+6HKviOy0hWW9g3uijyMWenRPhrn4SN9s8WAVytyJLmNDKniTRu/LyEIlab39w4SkYcmbnT3GO8cJ627hCBw4IEcxbGXrhP8+J6N+1RFhHx79c2ejLigi/qWh0EOs3p3I3VVUE2n7Cy4j2IBf5PvNzUpG0ZzOb+sG4patO2idWNMisqZ50GIwvxLA9AF6z8kM3b79lpj6lAZ3CAOvP7Z7bCKOsaL86Srto0mHsKWudc96Q93fh+J6cBsjsXcwDarkAcVDCdneH00cGfM1Ycfqb0rC/+HDxjOeXetDOK26TFMLz1DqjFYUhR1eXiP+Mtf1FJpfkwkYxF7xWp4iqcLMu4b6on+1gOkvG6l4YfHrLYxfp2sb4= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: f409ec2e-cc48-4c9f-35d6-08d6ff170f85 X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Jul 2019 17:59:43.3886 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dsugar@tresys.com X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1524 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Messages like this are added to the audit log when an rpm is installed: type=3DSOFTWARE_UPDATE msg=3Daudit(1560913896.581:244): pid=3D1265 uid=3D0 = auid=3D4294967295 ses=3D4294967295 subj=3Dsystem_u:system_r:rpm_t:s0 msg=3D= 'sw=3D"ntpdate-4.2.6p5-25.el7_3.2.x86_64" sw_type=3Drpm key_enforce=3D0 gpg= _res=3D0 root_dir=3D"/" comm=3D"rpm" exe=3D"/usr/bin/rpm" hostname=3D? addr= =3D? terminal=3D? res=3Dsuccess' These are the denials that I'm seeing: type=3DAVC msg=3Daudit(1560913896.581:243): avc: denied { audit_write } f= or pid=3D1265 comm=3D"rpm" capability=3D29 scontext=3Dsystem_u:system_r:rp= m_t:s0 tcontext=3Dsystem_u:system_r:rpm_t:s0 tclass=3Dcapability permissive= =3D1 type=3DAVC msg=3Daudit(1561298132.446:240): avc: denied { create } for pi= d=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsyst= em_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 type=3DAVC msg=3Daudit(1561298132.446:241): avc: denied { write } for pid= =3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsyste= m_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 type=3DAVC msg=3Daudit(1561298132.446:241): avc: denied { nlmsg_relay } f= or pid=3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext= =3Dsystem_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 type=3DAVC msg=3Daudit(1561298132.447:243): avc: denied { read } for pid= =3D1266 comm=3D"rpm" scontext=3Dsystem_u:system_r:rpm_t:s0 tcontext=3Dsyste= m_u:system_r:rpm_t:s0 tclass=3Dnetlink_audit_socket permissive=3D1 v2 - Use interface rather than adding permissions here - this change may confuse subsequent patches in this set, if so let me know and I will submit a pull request on github. Signed-off-by: Dave Sugar --- policy/modules/admin/rpm.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/admin/rpm.te b/policy/modules/admin/rpm.te index 0e6e9c03..ba022247 100644 --- a/policy/modules/admin/rpm.te +++ b/policy/modules/admin/rpm.te @@ -204,6 +204,7 @@ libs_exec_ld_so(rpm_t) libs_exec_lib_files(rpm_t) libs_run_ldconfig(rpm_t, rpm_roles) =20 +logging_send_audit_msgs(rpm_t) logging_send_syslog_msg(rpm_t) =20 seutil_manage_src_policy(rpm_t) --=20 2.21.0