2017-09-12 02:40:46

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH v2] logging: Various audit tools (auditctl, ausearch, etc) map their config and logs

Those mmap() calls are non-essential, though. They're issued by
fdopen(), which can also fall back to read().

Since there are few reasons to grant read access to audit logs other
than for using ausearch, I've added the dontaudits directly to the
relevant read interfaces.
---
policy/modules/system/logging.if | 11 +++++++++++
policy/modules/system/logging.te | 2 ++
2 files changed, 13 insertions(+)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 90be7596b..3c843fd27 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -142,6 +142,8 @@ interface(`logging_read_audit_log',`
files_search_var($1)
read_files_pattern($1, auditd_log_t, auditd_log_t)
allow $1 auditd_log_t:dir list_dir_perms;
+
+ dontaudit $1 auditd_log_t:file map;
')

########################################
@@ -338,6 +340,8 @@ interface(`logging_manage_audit_config',`

files_search_etc($1)
manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+ dontaudit $1 auditd_etc_t:file map;
')

########################################
@@ -359,6 +363,8 @@ interface(`logging_manage_audit_log',`
files_search_var($1)
manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
manage_files_pattern($1, auditd_log_t, auditd_log_t)
+
+ dontaudit $1 auditd_log_t:file map;
')

########################################
@@ -670,6 +676,8 @@ interface(`logging_read_audit_config',`
files_search_etc($1)
read_files_pattern($1, auditd_etc_t, auditd_etc_t)
allow $1 auditd_etc_t:dir list_dir_perms;
+
+ dontaudit $1 auditd_etc_t:file map;
')

########################################
@@ -1206,6 +1214,9 @@ interface(`logging_admin_audit',`
logging_run_auditctl($1, $2)

init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
+
+ dontaudit $1 auditd_etc_t:file map;
+ dontaudit $1 auditd_log_t:file map;
')

########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 085b9267a..d05123862 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -105,6 +105,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;

read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
+dontaudit auditctl_t auditd_etc_t:file map;

# Needed for adding watches
files_getattr_all_dirs(auditctl_t)
@@ -152,6 +153,7 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;

allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
+dontaudit auditd_t auditd_etc_t:file map;

manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
--
2.14.1