2017-09-11 22:02:37

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] logging: Various audit tools (auditctl, ausearch, etc) map their config and logs

Since there are few reasons to grant read access to audit logs other
than for using ausearch, I've added the map permission directly to the
relevant read interfaces.

I've checked some parts of the code; most of the mmaps happen inside
fdopen(fd, "rm") calls, which can fall back to read(). Hence, we may be
able to get away with dontaudits, too.
---
policy/modules/system/logging.if | 6 ++++++
policy/modules/system/logging.te | 3 ++-
2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 8633dfc4..44017b51 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -141,6 +141,7 @@ interface(`logging_read_audit_log',`

files_search_var($1)
read_files_pattern($1, auditd_log_t, auditd_log_t)
+ allow $1 auditd_log_t:file map;
allow $1 auditd_log_t:dir list_dir_perms;
')

@@ -338,6 +339,7 @@ interface(`logging_manage_audit_config',`

files_search_etc($1)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+ allow $1 auditd_etc_t:file map;
')

########################################
@@ -359,6 +361,7 @@ interface(`logging_manage_audit_log',`
files_search_var($1)
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
+ allow $1 auditd_log_t:file map;
')

########################################
@@ -669,6 +672,7 @@ interface(`logging_read_audit_config',`

files_search_etc($1)
read_files_pattern($1, auditd_etc_t, auditd_etc_t)
+ allow $1 auditd_etc_t:file map;
allow $1 auditd_etc_t:dir list_dir_perms;
')

@@ -1196,9 +1200,11 @@ interface(`logging_admin_audit',`

manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+ allow $1 auditd_etc_t:file map;

manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
+ allow $1 auditd_log_t:file map;

manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 5eeaece1..47280f44 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -104,6 +104,7 @@ allow auditctl_t self:process getcap;
allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;

read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+allow auditctl_t auditd_etc_t:file map;
allow auditctl_t auditd_etc_t:dir list_dir_perms;

# Needed for adding watches
@@ -151,7 +152,7 @@ allow auditd_t self:fifo_file rw_fifo_file_perms;
allow auditd_t self:tcp_socket create_stream_socket_perms;

allow auditd_t auditd_etc_t:dir list_dir_perms;
-allow auditd_t auditd_etc_t:file read_file_perms;
+allow auditd_t auditd_etc_t:file { read_file_perms map };

manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
--
2.14.1


2017-09-11 22:02:38

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] logging: Label /etc/audisp as auditd_etc_t

---
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.te | 1 +
2 files changed, 2 insertions(+)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 0d8a4173..5c166aa9 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -3,6 +3,7 @@
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/etc/audisp(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 47280f44..bbb01137 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -261,6 +261,7 @@ files_read_etc_runtime_files(audisp_t)

mls_file_write_all_levels(audisp_t)

+logging_read_audit_config(audisp_t)
logging_send_syslog_msg(audisp_t)

miscfiles_read_localization(audisp_t)
--
2.14.1

2017-09-11 22:02:39

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/3] miscfiles: Allow libfontconfig consumers to map the fonts cache

---
policy/modules/system/miscfiles.if | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 0e0ac3bf..e4918b47 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -151,6 +151,7 @@ interface(`miscfiles_read_fonts',`

allow $1 fonts_cache_t:dir list_dir_perms;
read_files_pattern($1, fonts_cache_t, fonts_cache_t)
+ allow $1 fonts_cache_t:file map;
read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
')

--
2.14.1

2017-09-12 00:16:12

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] logging: Various audit tools (auditctl, ausearch, etc) map their config and logs

On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> Since there are few reasons to grant read access to audit logs other
> than for using ausearch, I've added the map permission directly to the
> relevant read interfaces.
>
> I've checked some parts of the code; most of the mmaps happen inside
> fdopen(fd, "rm") calls, which can fall back to read(). Hence, we may be
> able to get away with dontaudits, too.
> ---
> policy/modules/system/logging.if | 6 ++++++
> policy/modules/system/logging.te | 3 ++-
> 2 files changed, 8 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index 8633dfc4..44017b51 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -141,6 +141,7 @@ interface(`logging_read_audit_log',`
>
> files_search_var($1)
> read_files_pattern($1, auditd_log_t, auditd_log_t)
> + allow $1 auditd_log_t:file map;
> allow $1 auditd_log_t:dir list_dir_perms;
> ')
>
> @@ -338,6 +339,7 @@ interface(`logging_manage_audit_config',`
>
> files_search_etc($1)
> manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
> + allow $1 auditd_etc_t:file map;
> ')
>
> ########################################
> @@ -359,6 +361,7 @@ interface(`logging_manage_audit_log',`
> files_search_var($1)
> manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
> manage_files_pattern($1, auditd_log_t, auditd_log_t)
> + allow $1 auditd_log_t:file map;
> ')
>
> ########################################
> @@ -669,6 +672,7 @@ interface(`logging_read_audit_config',`
>
> files_search_etc($1)
> read_files_pattern($1, auditd_etc_t, auditd_etc_t)
> + allow $1 auditd_etc_t:file map;
> allow $1 auditd_etc_t:dir list_dir_perms;
> ')
>
> @@ -1196,9 +1200,11 @@ interface(`logging_admin_audit',`
>
> manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
> manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
> + allow $1 auditd_etc_t:file map;
>
> manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
> manage_files_pattern($1, auditd_log_t, auditd_log_t)
> + allow $1 auditd_log_t:file map;
>
> manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
> manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 5eeaece1..47280f44 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -104,6 +104,7 @@ allow auditctl_t self:process getcap;
> allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
>
> read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
> +allow auditctl_t auditd_etc_t:file map;
> allow auditctl_t auditd_etc_t:dir list_dir_perms;
>
> # Needed for adding watches
> @@ -151,7 +152,7 @@ allow auditd_t self:fifo_file rw_fifo_file_perms;
> allow auditd_t self:tcp_socket create_stream_socket_perms;
>
> allow auditd_t auditd_etc_t:dir list_dir_perms;
> -allow auditd_t auditd_etc_t:file read_file_perms;
> +allow auditd_t auditd_etc_t:file { read_file_perms map };
>
> manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> allow auditd_t auditd_log_t:dir setattr;

I'm waiting on this, pending more testing on dontauditing the map instead.

--
Chris PeBenito

2017-09-12 00:19:23

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] logging: Label /etc/audisp as auditd_etc_t

On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> ---
> policy/modules/system/logging.fc | 1 +
> policy/modules/system/logging.te | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index 0d8a4173..5c166aa9 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -3,6 +3,7 @@
> /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> +/etc/audisp(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 47280f44..bbb01137 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -261,6 +261,7 @@ files_read_etc_runtime_files(audisp_t)
>
> mls_file_write_all_levels(audisp_t)
>
> +logging_read_audit_config(audisp_t)
> logging_send_syslog_msg(audisp_t)
>
> miscfiles_read_localization(audisp_t)

I'm not clear why this is needed. I don't think this config should be
lumped in with auditd_etc_t, which includes audit rules (hence is system
high). The configuration for the dispatcher is not sensitive nor
security files like audit rules are.

--
Chris PeBenito

2017-09-12 00:23:46

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/3] miscfiles: Allow libfontconfig consumers to map the fonts cache

On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> ---
> policy/modules/system/miscfiles.if | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 0e0ac3bf..e4918b47 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -151,6 +151,7 @@ interface(`miscfiles_read_fonts',`
>
> allow $1 fonts_cache_t:dir list_dir_perms;
> read_files_pattern($1, fonts_cache_t, fonts_cache_t)
> + allow $1 fonts_cache_t:file map;
> read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
> ')

Are you sure that all users of this interface are from libfontconfig?
After looking at your other patches, I'm starting to wonder if more
abstract interfaces are worthwhile, similar to
seutil_libselinux_linked(). Then we could reasonably add the map in a
libfontconfig_linked() interface without fear of future users getting
unnecessary perms on this generic interface.

--
Chris PeBenito

2017-09-12 01:56:13

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/3] logging: Various audit tools (auditctl, ausearch, etc) map their config and logs

On Mon, 11 Sep 2017 20:16:12 -0400
Chris PeBenito via refpolicy <[email protected]> wrote:

> On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> > Since there are few reasons to grant read access to audit logs other
> > than for using ausearch, I've added the map permission directly to
> > the relevant read interfaces.
> >
> > I've checked some parts of the code; most of the mmaps happen inside
> > fdopen(fd, "rm") calls, which can fall back to read(). Hence, we
> > may be able to get away with dontaudits, too.
> > ---
> > policy/modules/system/logging.if | 6 ++++++
> > policy/modules/system/logging.te | 3 ++-
> > 2 files changed, 8 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/system/logging.if
> > b/policy/modules/system/logging.if index 8633dfc4..44017b51 100644
> > --- a/policy/modules/system/logging.if
> > +++ b/policy/modules/system/logging.if
> > @@ -141,6 +141,7 @@ interface(`logging_read_audit_log',`
> >
> > files_search_var($1)
> > read_files_pattern($1, auditd_log_t, auditd_log_t)
> > + allow $1 auditd_log_t:file map;
> > allow $1 auditd_log_t:dir list_dir_perms;
> > ')
> >
> > @@ -338,6 +339,7 @@ interface(`logging_manage_audit_config',`
> >
> > files_search_etc($1)
> > manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
> > + allow $1 auditd_etc_t:file map;
> > ')
> >
> > ########################################
> > @@ -359,6 +361,7 @@ interface(`logging_manage_audit_log',`
> > files_search_var($1)
> > manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
> > manage_files_pattern($1, auditd_log_t, auditd_log_t)
> > + allow $1 auditd_log_t:file map;
> > ')
> >
> > ########################################
> > @@ -669,6 +672,7 @@ interface(`logging_read_audit_config',`
> >
> > files_search_etc($1)
> > read_files_pattern($1, auditd_etc_t, auditd_etc_t)
> > + allow $1 auditd_etc_t:file map;
> > allow $1 auditd_etc_t:dir list_dir_perms;
> > ')
> >
> > @@ -1196,9 +1200,11 @@ interface(`logging_admin_audit',`
> >
> > manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
> > manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
> > + allow $1 auditd_etc_t:file map;
> >
> > manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
> > manage_files_pattern($1, auditd_log_t, auditd_log_t)
> > + allow $1 auditd_log_t:file map;
> >
> > manage_dirs_pattern($1, auditd_var_run_t,
> > auditd_var_run_t) manage_files_pattern($1, auditd_var_run_t,
> > auditd_var_run_t) diff --git a/policy/modules/system/logging.te
> > b/policy/modules/system/logging.te index 5eeaece1..47280f44 100644
> > --- a/policy/modules/system/logging.te
> > +++ b/policy/modules/system/logging.te
> > @@ -104,6 +104,7 @@ allow auditctl_t self:process getcap;
> > allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
> >
> > read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
> > +allow auditctl_t auditd_etc_t:file map;
> > allow auditctl_t auditd_etc_t:dir list_dir_perms;
> >
> > # Needed for adding watches
> > @@ -151,7 +152,7 @@ allow auditd_t self:fifo_file
> > rw_fifo_file_perms; allow auditd_t self:tcp_socket
> > create_stream_socket_perms;
> > allow auditd_t auditd_etc_t:dir list_dir_perms;
> > -allow auditd_t auditd_etc_t:file read_file_perms;
> > +allow auditd_t auditd_etc_t:file { read_file_perms map };
> >
> > manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> > allow auditd_t auditd_log_t:dir setattr;
>
> I'm waiting on this, pending more testing on dontauditing the map
> instead.
>

I've dug through the code a bit longer, and haven't found anything
other than fdopen() calls. I'll submit a patch with dontaudits.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/da1ec117/attachment.bin

2017-09-12 01:58:56

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/3] logging: Label /etc/audisp as auditd_etc_t

On Mon, 11 Sep 2017 20:19:23 -0400
Chris PeBenito via refpolicy <[email protected]> wrote:

> On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> > ---
> > policy/modules/system/logging.fc | 1 +
> > policy/modules/system/logging.te | 1 +
> > 2 files changed, 2 insertions(+)
> >
> > diff --git a/policy/modules/system/logging.fc
> > b/policy/modules/system/logging.fc index 0d8a4173..5c166aa9 100644
> > --- a/policy/modules/system/logging.fc
> > +++ b/policy/modules/system/logging.fc
> > @@ -3,6 +3,7 @@
> > /etc/rsyslog.conf
> > gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf
> > gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)?
> > gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> > +/etc/audisp(/.*)?
> > gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd
> > --
> > gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog
> > -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
> > diff --git a/policy/modules/system/logging.te
> > b/policy/modules/system/logging.te index 47280f44..bbb01137 100644
> > --- a/policy/modules/system/logging.te +++
> > b/policy/modules/system/logging.te @@ -261,6 +261,7 @@
> > files_read_etc_runtime_files(audisp_t)
> > mls_file_write_all_levels(audisp_t)
> > +logging_read_audit_config(audisp_t)
> > logging_send_syslog_msg(audisp_t)
> >
> > miscfiles_read_localization(audisp_t)
>
> I'm not clear why this is needed. I don't think this config should
> be lumped in with auditd_etc_t, which includes audit rules (hence is
> system high). The configuration for the dispatcher is not sensitive
> nor security files like audit rules are.
>

Sorry, on further consideration I agree with you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/7ace0651/attachment.bin

2017-09-12 02:45:33

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/3] miscfiles: Allow libfontconfig consumers to map the fonts cache

On Mon, 11 Sep 2017 20:23:46 -0400
Chris PeBenito <[email protected]> wrote:

> On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> > ---
> > policy/modules/system/miscfiles.if | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/system/miscfiles.if
> > b/policy/modules/system/miscfiles.if index 0e0ac3bf..e4918b47 100644
> > --- a/policy/modules/system/miscfiles.if
> > +++ b/policy/modules/system/miscfiles.if
> > @@ -151,6 +151,7 @@ interface(`miscfiles_read_fonts',`
> >
> > allow $1 fonts_cache_t:dir list_dir_perms;
> > read_files_pattern($1, fonts_cache_t, fonts_cache_t)
> > + allow $1 fonts_cache_t:file map;
> > read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
> > ')
>
> Are you sure that all users of this interface are from libfontconfig?
> After looking at your other patches, I'm starting to wonder if more
> abstract interfaces are worthwhile, similar to
> seutil_libselinux_linked(). Then we could reasonably add the map in
> a libfontconfig_linked() interface without fear of future users
> getting unnecessary perms on this generic interface.
>

Considering that the only path we're labeling fonts_cache_t
is /var/cache/fontconfig: Yes, I am pretty sure that only libfontconfig
consumers need acccess permissions for fonts_cache_t. :)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/5089071b/attachment.bin

2017-09-12 22:55:47

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/3] miscfiles: Allow libfontconfig consumers to map the fonts cache

On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> ---
> policy/modules/system/miscfiles.if | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
> index 0e0ac3bf..e4918b47 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -151,6 +151,7 @@ interface(`miscfiles_read_fonts',`
>
> allow $1 fonts_cache_t:dir list_dir_perms;
> read_files_pattern($1, fonts_cache_t, fonts_cache_t)
> + allow $1 fonts_cache_t:file map;
> read_lnk_files_pattern($1, fonts_cache_t, fonts_cache_t)
> ')

Merged.

--
Chris PeBenito