From: pebenito@ieee.org (Chris PeBenito)
Date: Sun, 13 Aug 2017 19:53:23 -0400
Subject: [refpolicy] [PATCH 1/1] audit: allow reading /etc/localtime
In-Reply-To: <20170812095218.23124-1-nicolas.iooss@m4x.org>
References: <20170812095218.23124-1-nicolas.iooss@m4x.org>
Message-ID: <8da6dca9-2f91-aa29-a178-3ca2a9453dae@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 08/12/2017 05:52 AM, Nicolas Iooss via refpolicy wrote:
> When auditctl logs a message to syslog, it needs to read /etc/localtime.
> This is currently denied:
>
>     avc:  denied  { read } for  pid=191 comm="auditctl" name="UTC"
>     dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
>     tcontext=system_u:object_r:locale_t tclass=file permissive=1
>     avc:  denied  { open } for  pid=191 comm="auditctl"
>     path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
>     scontext=system_u:system_r:auditctl_t
>     tcontext=system_u:object_r:locale_t tclass=file permissive=1
>
> This occurs for example at boot time when "/usr/bin/augenrules --load"
> is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
> --load":
>
>     [pid   635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
>     "/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
>     ...
>     [pid   635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
>     such file or directory)
>     [pid   635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
>     [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
>     [pid   635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
>     [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
>     [pid   635] lseek(4, -71, SEEK_CUR)     = 56
>     [pid   635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
>     [pid   635] close(4)                    = 0
>     [pid   635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
>     [pid   635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
>     [pid   635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
>     /etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
>     NULL, 0) = 81
>     [pid   635] exit_group(0)               = ?
>
> More precisely, auditctl uses vsyslog() from glibc, which uses
> localtime_r() to fetch the time is in local timezone.
>
> [1] On a systemd system, this command is automatically run by
> auditd.service unit, cf.
> https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
> ---
>  policy/modules/system/logging.te | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index d87581360e2d..b9bebb56aba1 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -118,6 +118,8 @@ kernel_setsched(auditctl_t)
>  domain_read_all_domains_state(auditctl_t)
>  domain_use_interactive_fds(auditctl_t)
>
> +miscfiles_read_localization(auditctl_t)
> +
>  mls_file_read_all_levels(auditctl_t)
>
>  term_use_all_terms(auditctl_t)

Merged, though I moved the line.

-- 
Chris PeBenito