When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:
avc: denied { read } for pid=191 comm="auditctl" name="UTC"
dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
avc: denied { open } for pid=191 comm="auditctl"
path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":
[pid 635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
"/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
...
[pid 635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid 635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
[pid 635] lseek(4, -71, SEEK_CUR) = 56
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
[pid 635] close(4) = 0
[pid 635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid 635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
[pid 635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
/etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
NULL, 0) = 81
[pid 635] exit_group(0) = ?
More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.
[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
---
policy/modules/system/logging.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index d87581360e2d..b9bebb56aba1 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -118,6 +118,8 @@ kernel_setsched(auditctl_t)
domain_read_all_domains_state(auditctl_t)
domain_use_interactive_fds(auditctl_t)
+miscfiles_read_localization(auditctl_t)
+
mls_file_read_all_levels(auditctl_t)
term_use_all_terms(auditctl_t)
--
2.14.1
On 08/12/2017 05:52 AM, Nicolas Iooss via refpolicy wrote:
> When auditctl logs a message to syslog, it needs to read /etc/localtime.
> This is currently denied:
>
> avc: denied { read } for pid=191 comm="auditctl" name="UTC"
> dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
> tcontext=system_u:object_r:locale_t tclass=file permissive=1
> avc: denied { open } for pid=191 comm="auditctl"
> path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
> scontext=system_u:system_r:auditctl_t
> tcontext=system_u:object_r:locale_t tclass=file permissive=1
>
> This occurs for example at boot time when "/usr/bin/augenrules --load"
> is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
> --load":
>
> [pid 635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
> "/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
> ...
> [pid 635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
> such file or directory)
> [pid 635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
> [pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
> [pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
> [pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
> [pid 635] lseek(4, -71, SEEK_CUR) = 56
> [pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
> [pid 635] close(4) = 0
> [pid 635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
> [pid 635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
> [pid 635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
> /etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
> NULL, 0) = 81
> [pid 635] exit_group(0) = ?
>
> More precisely, auditctl uses vsyslog() from glibc, which uses
> localtime_r() to fetch the time is in local timezone.
>
> [1] On a systemd system, this command is automatically run by
> auditd.service unit, cf.
> https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
> ---
> policy/modules/system/logging.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index d87581360e2d..b9bebb56aba1 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -118,6 +118,8 @@ kernel_setsched(auditctl_t)
> domain_read_all_domains_state(auditctl_t)
> domain_use_interactive_fds(auditctl_t)
>
> +miscfiles_read_localization(auditctl_t)
> +
> mls_file_read_all_levels(auditctl_t)
>
> term_use_all_terms(auditctl_t)
Merged, though I moved the line.
--
Chris PeBenito