This set includes quite a few dontaudit updates on the policy that we have
running in Gentoo since the 20110726 policies and without feedback from
users that they are incorrect or that I'm missing something.
Now handling dontaudits isn't easy, it's often much easier to find out why
you need to allow something (as the application otherwise breaks) whereas
finding denials that do not seem to have any influence on the system is a
lot harder to pin down.
But still, I guess it's okay to bring out these dontaudits in refpolicy;
either others can find flaws or confirm that they too dontaudit these
settings.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/kernel/files.if | 36 ++++++++++++++++++++++++++++++++++++
1 files changed, 36 insertions(+), 0 deletions(-)
diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index deb24b4..7df46ac 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1482,6 +1482,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
########################################
## <summary>
+## Do not audit write attempts on mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to ignore write attempts from
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_write_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ dontaudit $1 mountpoint:dir write;
+')
+
+########################################
+## <summary>
+## Do not audit setattr attempts on mount points.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to ignore setattr attempts from
+## </summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_all_mountpoints',`
+ gen_require(`
+ attribute mountpoint;
+ ')
+
+ dontaudit $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
## List the contents of the root directory.
## </summary>
## <param name="domain">
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
mozilla.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/mozilla.te b/mozilla.te
index d3510c2..7bb89fe 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -148,6 +148,7 @@ files_read_var_files(mozilla_t)
files_read_var_symlinks(mozilla_t)
files_dontaudit_getattr_boot_dirs(mozilla_t)
+fs_dontaudit_getattr_all_fs(mozilla_t)
fs_search_auto_mountpoints(mozilla_t)
fs_list_inotifyfs(mozilla_t)
fs_rw_tmpfs_files(mozilla_t)
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
mta.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/mta.if b/mta.if
index 343cee3..509bcea 100644
--- a/mta.if
+++ b/mta.if
@@ -174,6 +174,8 @@ interface(`mta_role',`
allow mta_user_agent $2:fd use;
allow mta_user_agent $2:process sigchld;
allow mta_user_agent $2:fifo_file { read write };
+
+ dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
')
########################################
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
portage.te | 6 ++++++
1 files changed, 6 insertions(+), 0 deletions(-)
diff --git a/portage.te b/portage.te
index 4735035..88eac51 100644
--- a/portage.te
+++ b/portage.te
@@ -146,6 +146,8 @@ optional_policy(`
allow portage_t self:process { setfscreate setexec };
# - kill for mysql merging, at least
allow portage_t self:capability { sys_nice kill setfcap };
+dontaudit portage_t self:capability { dac_read_search };
+dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
# user post-sync scripts
can_exec(portage_t, portage_conf_t)
@@ -161,6 +163,7 @@ rsync_entry_domtrans(portage_t, portage_fetch_t)
allow portage_fetch_t portage_t:fd use;
allow portage_fetch_t portage_t:fifo_file rw_file_perms;
allow portage_fetch_t portage_t:process sigchld;
+dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
# transition to sandbox for compiling
domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
@@ -169,10 +172,12 @@ allow portage_sandbox_t portage_t:fd use;
allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
allow portage_sandbox_t portage_t:process sigchld;
allow portage_sandbox_t self:process ptrace;
+dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
# run scripts out of the build directory
can_exec(portage_t, portage_tmp_t)
+kernel_dontaudit_request_load_module(portage_t)
# merging baselayout will need this:
kernel_write_proc_files(portage_t)
@@ -288,6 +293,7 @@ files_search_var_lib(portage_fetch_t)
files_dontaudit_search_pids(portage_fetch_t)
logging_list_logs(portage_fetch_t)
+logging_dontaudit_search_logs(portage_fetch_t)
term_search_ptys(portage_fetch_t)
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
qemu.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/qemu.te b/qemu.te
index 9cf9992..a75f91a 100644
--- a/qemu.te
+++ b/qemu.te
@@ -49,6 +49,7 @@ role system_r types qemu_t;
#
# qemu local policy
#
+dontaudit qemu_t self:socket create;
storage_raw_write_removable_device(qemu_t)
storage_raw_read_removable_device(qemu_t)
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 363e98d..58a7d89 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -66,6 +66,25 @@ interface(`sysnet_dontaudit_use_dhcpc_fds',`
########################################
## <summary>
+## Do not audit attempts to read/write to the
+## dhcp unix stream socket descriptors.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',`
+ gen_require(`
+ type dhcpc_t;
+ ')
+
+ dontaudit $1 dhcpc_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
## Send a SIGCHLD signal to the dhcp client.
## </summary>
## <param name="domain">
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/services/xserver.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e92dddf..f5ffb79 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -370,6 +370,8 @@ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xdm_t, xserver_log_t, file)
+domain_dontaudit_search_all_domains_state(xserver_t)
+
kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
dbus.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/dbus.if b/dbus.if
index 1a1becd..fb4bf82 100644
--- a/dbus.if
+++ b/dbus.if
@@ -218,6 +218,8 @@ interface(`dbus_session_bus_client',`
# For connecting to the bus
allow $1 session_bus_type:unix_stream_socket connectto;
+
+ dontaudit $1 session_bus_type:fd use;
')
########################################
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/hostname.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index c310775..5307361 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
miscfiles_read_localization(hostname_t)
+sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/mount.te | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fba350b..57c2a00 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -89,7 +89,8 @@ files_read_isid_type_files(mount_t)
# For reading cert files
files_read_usr_files(mount_t)
files_list_mnt(mount_t)
-files_dontaudit_write_root_dirs(mount_t)
+files_dontaudit_write_all_mountpoints(mount_t)
+files_dontaudit_setattr_all_mountpoints(mount_t)
fs_getattr_xattr_fs(mount_t)
fs_getattr_cifs(mount_t)
@@ -113,6 +114,7 @@ storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
term_use_all_terms(mount_t)
+term_dontaudit_manage_pty_dirs(mount_t)
auth_use_nsswitch(mount_t)
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/selinuxutil.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ab78aea..bc6e9b7 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -234,6 +234,8 @@ allow newrole_t self:unix_dgram_socket sendto;
allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+dontaudit newrole_t self:capability dac_read_search;
+
read_files_pattern(newrole_t, default_context_t, default_context_t)
read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/admin/sudo.if | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 6e1de7a..095a505 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -136,6 +136,7 @@ template(`sudo_role_template',`
userdom_use_user_terminals($1_sudo_t)
# for some PAM modules and for cwd
userdom_dontaudit_search_user_home_content($1_sudo_t)
+ userdom_dontaudit_search_user_home_dirs($1_sudo_t)
ifdef(`hide_broken_symptoms', `
dontaudit $1_sudo_t $3:socket_class_set { read write };
--
1.7.3.4
Signed-off-by: Sven Vermeulen <[email protected]>
---
raid.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/raid.te b/raid.te
index 3fd46f7..458d42e 100644
--- a/raid.te
+++ b/raid.te
@@ -57,6 +57,7 @@ domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_all_files(mdadm_t)
fs_search_auto_mountpoints(mdadm_t)
fs_dontaudit_list_tmpfs(mdadm_t)
@@ -70,6 +71,7 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
storage_read_scsi_generic(mdadm_t)
term_dontaudit_list_ptys(mdadm_t)
+term_dontaudit_use_unallocated_ttys(mdadm_t)
init_dontaudit_getattr_initctl(mdadm_t)
--
1.7.3.4
On 03/22/12 16:08, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> mta.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/mta.if b/mta.if
> index 343cee3..509bcea 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -174,6 +174,8 @@ interface(`mta_role',`
> allow mta_user_agent $2:fd use;
> allow mta_user_agent $2:process sigchld;
> allow mta_user_agent $2:fifo_file { read write };
> +
> + dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
> ')
>
> ########################################
Does not work. $1 is a role.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:06, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/kernel/files.if | 36 ++++++++++++++++++++++++++++++++++++
> 1 files changed, 36 insertions(+), 0 deletions(-)
Merged. There were whitespace errors, please be mindful. Moved the dontaudit_setattr up in the file.
> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index deb24b4..7df46ac 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1482,6 +1482,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
>
> ########################################
> ## <summary>
> +## Do not audit write attempts on mount points.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to ignore write attempts from
> +## </summary>
> +## </param>
> +#
> +interface(`files_dontaudit_write_all_mountpoints',`
> + gen_require(`
> + attribute mountpoint;
> + ')
> +
> + dontaudit $1 mountpoint:dir write;
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit setattr attempts on mount points.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to ignore setattr attempts from
> +## </summary>
> +## </param>
> +#
> +interface(`files_dontaudit_setattr_all_mountpoints',`
> + gen_require(`
> + attribute mountpoint;
> + ')
> +
> + dontaudit $1 mountpoint:dir setattr;
> +')
> +
> +########################################
> +## <summary>
> ## List the contents of the root directory.
> ## </summary>
> ## <param name="domain">
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:10, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/sysnetwork.if | 19 +++++++++++++++++++
> 1 files changed, 19 insertions(+), 0 deletions(-)
Merged. Fixed whitespace.
> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index 363e98d..58a7d89 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -66,6 +66,25 @@ interface(`sysnet_dontaudit_use_dhcpc_fds',`
>
> ########################################
> ## <summary>
> +## Do not audit attempts to read/write to the
> +## dhcp unix stream socket descriptors.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',`
> + gen_require(`
> + type dhcpc_t;
> + ')
> +
> + dontaudit $1 dhcpc_t:unix_stream_socket { read write };
> +')
> +
> +########################################
> +## <summary>
> ## Send a SIGCHLD signal to the dhcp client.
> ## </summary>
> ## <param name="domain">
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:10, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/services/xserver.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index e92dddf..f5ffb79 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -370,6 +370,8 @@ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
> manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
> logging_log_filetrans(xdm_t, xserver_log_t, file)
>
> +domain_dontaudit_search_all_domains_state(xserver_t)
> +
> kernel_read_system_state(xdm_t)
> kernel_read_kernel_sysctls(xdm_t)
> kernel_read_net_sysctls(xdm_t)
This is in xdm_t's section. It it supposed to be xdm_t or is it supposed to be xserver_t? In either case, it needs to move.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:12, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/hostname.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
> index c310775..5307361 100644
> --- a/policy/modules/system/hostname.te
> +++ b/policy/modules/system/hostname.te
> @@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
>
> miscfiles_read_localization(hostname_t)
>
> +sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
> sysnet_read_config(hostname_t)
> sysnet_dns_name_resolve(hostname_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:12, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/mount.te | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index fba350b..57c2a00 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -89,7 +89,8 @@ files_read_isid_type_files(mount_t)
> # For reading cert files
> files_read_usr_files(mount_t)
> files_list_mnt(mount_t)
> -files_dontaudit_write_root_dirs(mount_t)
> +files_dontaudit_write_all_mountpoints(mount_t)
> +files_dontaudit_setattr_all_mountpoints(mount_t)
>
> fs_getattr_xattr_fs(mount_t)
> fs_getattr_cifs(mount_t)
> @@ -113,6 +114,7 @@ storage_raw_read_removable_device(mount_t)
> storage_raw_write_removable_device(mount_t)
>
> term_use_all_terms(mount_t)
> +term_dontaudit_manage_pty_dirs(mount_t)
>
> auth_use_nsswitch(mount_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:07, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> mozilla.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/mozilla.te b/mozilla.te
> index d3510c2..7bb89fe 100644
> --- a/mozilla.te
> +++ b/mozilla.te
> @@ -148,6 +148,7 @@ files_read_var_files(mozilla_t)
> files_read_var_symlinks(mozilla_t)
> files_dontaudit_getattr_boot_dirs(mozilla_t)
>
> +fs_dontaudit_getattr_all_fs(mozilla_t)
> fs_search_auto_mountpoints(mozilla_t)
> fs_list_inotifyfs(mozilla_t)
> fs_rw_tmpfs_files(mozilla_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:08, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> portage.te | 6 ++++++
> 1 files changed, 6 insertions(+), 0 deletions(-)
Merged.
> diff --git a/portage.te b/portage.te
> index 4735035..88eac51 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -146,6 +146,8 @@ optional_policy(`
> allow portage_t self:process { setfscreate setexec };
> # - kill for mysql merging, at least
> allow portage_t self:capability { sys_nice kill setfcap };
> +dontaudit portage_t self:capability { dac_read_search };
> +dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
>
> # user post-sync scripts
> can_exec(portage_t, portage_conf_t)
> @@ -161,6 +163,7 @@ rsync_entry_domtrans(portage_t, portage_fetch_t)
> allow portage_fetch_t portage_t:fd use;
> allow portage_fetch_t portage_t:fifo_file rw_file_perms;
> allow portage_fetch_t portage_t:process sigchld;
> +dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
>
> # transition to sandbox for compiling
> domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
> @@ -169,10 +172,12 @@ allow portage_sandbox_t portage_t:fd use;
> allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
> allow portage_sandbox_t portage_t:process sigchld;
> allow portage_sandbox_t self:process ptrace;
> +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>
> # run scripts out of the build directory
> can_exec(portage_t, portage_tmp_t)
>
> +kernel_dontaudit_request_load_module(portage_t)
> # merging baselayout will need this:
> kernel_write_proc_files(portage_t)
>
> @@ -288,6 +293,7 @@ files_search_var_lib(portage_fetch_t)
> files_dontaudit_search_pids(portage_fetch_t)
>
> logging_list_logs(portage_fetch_t)
> +logging_dontaudit_search_logs(portage_fetch_t)
>
> term_search_ptys(portage_fetch_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:09, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> qemu.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/qemu.te b/qemu.te
> index 9cf9992..a75f91a 100644
> --- a/qemu.te
> +++ b/qemu.te
> @@ -49,6 +49,7 @@ role system_r types qemu_t;
> #
> # qemu local policy
> #
> +dontaudit qemu_t self:socket create;
>
> storage_raw_write_removable_device(qemu_t)
> storage_raw_read_removable_device(qemu_t)
I'm more interesting in finding out what kind of socket this is, so we can create an appropriate object class.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:11, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> dbus.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/dbus.if b/dbus.if
> index 1a1becd..fb4bf82 100644
> --- a/dbus.if
> +++ b/dbus.if
> @@ -218,6 +218,8 @@ interface(`dbus_session_bus_client',`
>
> # For connecting to the bus
> allow $1 session_bus_type:unix_stream_socket connectto;
> +
> + dontaudit $1 session_bus_type:fd use;
> ')
>
> ########################################
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:14, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> raid.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
Merged.
> diff --git a/raid.te b/raid.te
> index 3fd46f7..458d42e 100644
> --- a/raid.te
> +++ b/raid.te
> @@ -57,6 +57,7 @@ domain_use_interactive_fds(mdadm_t)
>
> files_read_etc_files(mdadm_t)
> files_read_etc_runtime_files(mdadm_t)
> +files_dontaudit_getattr_all_files(mdadm_t)
>
> fs_search_auto_mountpoints(mdadm_t)
> fs_dontaudit_list_tmpfs(mdadm_t)
> @@ -70,6 +71,7 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
> storage_read_scsi_generic(mdadm_t)
>
> term_dontaudit_list_ptys(mdadm_t)
> +term_dontaudit_use_unallocated_ttys(mdadm_t)
>
> init_dontaudit_getattr_initctl(mdadm_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:13, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/admin/sudo.if | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 6e1de7a..095a505 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -136,6 +136,7 @@ template(`sudo_role_template',`
> userdom_use_user_terminals($1_sudo_t)
> # for some PAM modules and for cwd
> userdom_dontaudit_search_user_home_content($1_sudo_t)
> + userdom_dontaudit_search_user_home_dirs($1_sudo_t)
>
> ifdef(`hide_broken_symptoms', `
> dontaudit $1_sudo_t $3:socket_class_set { read write };
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 03/22/12 16:13, Sven Vermeulen wrote:
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/selinuxutil.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index ab78aea..bc6e9b7 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -234,6 +234,8 @@ allow newrole_t self:unix_dgram_socket sendto;
> allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
>
> +dontaudit newrole_t self:capability dac_read_search;
> +
> read_files_pattern(newrole_t, default_context_t, default_context_t)
> read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
On the fence with this one. It already has dac_override, which is a superset of dac_read_search.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, Apr 20, 2012 at 10:12 PM, Christopher J. PeBenito
<[email protected]> wrote:
>> +dontaudit qemu_t self:socket create;
>
> I'm more interesting in finding out what kind of socket this is, so we can create an appropriate object class.
Ok, trying to figure that out now. No luck with just querying though:
Apr 21 17:53:04 hpl kernel: [90637.251881] type=1400
audit(1335023584.573:457): avc: granted { create } for pid=28083
comm="qemu-system-x86" scontext=staff_u:sysadm_r:qemu_t
tcontext=staff_u:sysadm_r:qemu_t tclass=socket
Doesn't give much. An lsof shows:
# lsof -p 28083
qemu-syst 28083 swift 8u unix 0x0000000000000000 0t0
80203 socket
qemu-syst 28083 swift 9u unix 0x0000000000000000 0t0
80204 /tmp/vde.28083-00003
but I don't know how to find out more about this socket. It is related
to qemu's VDE networking virtualization (if I drop the "-net
vde,vlan=0" I don't get the attempt to create a socket) but doesn't
seem to be necessary.
/tmp/vde.28083-00003 is of type vde_tmp_t (cfr. patch/RFC regarding
VDE support sent a while ago)
If anyone know of a good resource that I can read on debugging
sockets, I'd love to hear about it.
Wkr,
Sven Vermeulen
On 04/21/12 12:12, Sven Vermeulen wrote:
> On Fri, Apr 20, 2012 at 10:12 PM, Christopher J. PeBenito
> <[email protected]> wrote:
>>> +dontaudit qemu_t self:socket create;
>>
>> I'm more interesting in finding out what kind of socket this is, so we can create an appropriate object class.
>
> Ok, trying to figure that out now. No luck with just querying though:
>
> Apr 21 17:53:04 hpl kernel: [90637.251881] type=1400
> audit(1335023584.573:457): avc: granted { create } for pid=28083
> comm="qemu-system-x86" scontext=staff_u:sysadm_r:qemu_t
> tcontext=staff_u:sysadm_r:qemu_t tclass=socket
>
> Doesn't give much. An lsof shows:
>
> # lsof -p 28083
> qemu-syst 28083 swift 8u unix 0x0000000000000000 0t0
> 80203 socket
> qemu-syst 28083 swift 9u unix 0x0000000000000000 0t0
> 80204 /tmp/vde.28083-00003
>
> but I don't know how to find out more about this socket. It is related
> to qemu's VDE networking virtualization (if I drop the "-net
> vde,vlan=0" I don't get the attempt to create a socket) but doesn't
> seem to be necessary.
>
> /tmp/vde.28083-00003 is of type vde_tmp_t (cfr. patch/RFC regarding
> VDE support sent a while ago)
>
> If anyone know of a good resource that I can read on debugging
> sockets, I'd love to hear about it.
The audit subsystem's messages might be more useful. The last time something like this came around, I ended up looking at the code itself. It shouldn't be too bad to grep through the code for socket() calls and see what the socket domain/type is.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com