LinuxLists.cc - [refpolicy] [RFC] Need for read

2013-11-04 21:42:10

Subject: [refpolicy] [RFC] Need for read_policy to use audit2allow?

Hi guys

I'm testing out the new userspace release and am now seemingly in need for
the read_policy permission (security class) when I want to use audit2allow.

The audit2allow command doesn't give any errors, it just doesn't display
anything beyond a module header. In the AVC logs I have something like this:

type=AVC msg=audit(1565426456.566:822): avc: denied { read_policy } for
pid=2660 comm="audit2allow" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023
tcontext=system_u:object_r:security_t:s0 tclass=security

If I allow this (here for sysadm_t) through selinux_read_policy(sysadm_t)
then audit2allow functions properly again.

With the previous userspace release I do not seem to need this, nor is
audit2allow running in any domain other than the one called by.

Is this expected behavior (considering it is a security class, I thought I
better ask)?

Wkr,
Sven Vermeulen

2013-11-07 14:07:42

by cpebenito

[permalink] [raw]

Subject: [refpolicy] [RFC] Need for read_policy to use audit2allow?

On 11/04/13 16:42, Sven Vermeulen wrote:
> Hi guys
>
> I'm testing out the new userspace release and am now seemingly in need for
> the read_policy permission (security class) when I want to use audit2allow.
>
> The audit2allow command doesn't give any errors, it just doesn't display
> anything beyond a module header. In the AVC logs I have something like this:
>
> type=AVC msg=audit(1565426456.566:822): avc: denied { read_policy } for
> pid=2660 comm="audit2allow" scontext=root:sysadm_r:sysadm_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:security_t:s0 tclass=security
>
> If I allow this (here for sysadm_t) through selinux_read_policy(sysadm_t)
> then audit2allow functions properly again.
>
> With the previous userspace release I do not seem to need this, nor is
> audit2allow running in any domain other than the one called by.
>
> Is this expected behavior (considering it is a security class, I thought I
> better ask)?

The permission means it's looking at /sys/fs/selinux/policy. I assume the behavior has been changed to look at that instead of looking at the policy.2x on disk, so it knows for certain its looking at the current policy. However, I haven't had a chance to dig through all of the Fedora patches that have been committed to the userspace tools yet, to confirm.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com