From: aranea@aixah.de (Luis Ressel)
Date: Tue, 12 Sep 2017 00:02:37 +0200
Subject: [refpolicy] [PATCH 1/3] logging: Various audit tools (auditctl,
	ausearch, etc) map their config and logs
Message-ID: <20170911220239.1953-1-aranea@aixah.de>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Since there are few reasons to grant read access to audit logs other
than for using ausearch, I've added the map permission directly to the
relevant read interfaces.

I've checked some parts of the code; most of the mmaps happen inside
fdopen(fd, "rm") calls, which can fall back to read(). Hence, we may be
able to get away with dontaudits, too.
---
 policy/modules/system/logging.if | 6 ++++++
 policy/modules/system/logging.te | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 8633dfc4..44017b51 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -141,6 +141,7 @@ interface(`logging_read_audit_log',`
 
 	files_search_var($1)
 	read_files_pattern($1, auditd_log_t, auditd_log_t)
+	allow $1 auditd_log_t:file map;
 	allow $1 auditd_log_t:dir list_dir_perms;
 ')
 
@@ -338,6 +339,7 @@ interface(`logging_manage_audit_config',`
 
 	files_search_etc($1)
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+	allow $1 auditd_etc_t:file map;
 ')
 
 ########################################
@@ -359,6 +361,7 @@ interface(`logging_manage_audit_log',`
 	files_search_var($1)
 	manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
 	manage_files_pattern($1, auditd_log_t, auditd_log_t)
+	allow $1 auditd_log_t:file map;
 ')
 
 ########################################
@@ -669,6 +672,7 @@ interface(`logging_read_audit_config',`
 
 	files_search_etc($1)
 	read_files_pattern($1, auditd_etc_t, auditd_etc_t)
+	allow $1 auditd_etc_t:file map;
 	allow $1 auditd_etc_t:dir list_dir_perms;
 ')
 
@@ -1196,9 +1200,11 @@ interface(`logging_admin_audit',`
 
 	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+	allow $1 auditd_etc_t:file map;
 
 	manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
 	manage_files_pattern($1, auditd_log_t, auditd_log_t)
+	allow $1 auditd_log_t:file map;
 
 	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
 	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 5eeaece1..47280f44 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -104,6 +104,7 @@ allow auditctl_t self:process getcap;
 allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+allow auditctl_t auditd_etc_t:file map;
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
 
 # Needed for adding watches
@@ -151,7 +152,7 @@ allow auditd_t self:fifo_file rw_fifo_file_perms;
 allow auditd_t self:tcp_socket create_stream_socket_perms;
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
-allow auditd_t auditd_etc_t:file read_file_perms;
+allow auditd_t auditd_etc_t:file { read_file_perms map };
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t auditd_log_t:dir setattr;
-- 
2.14.1