From: aranea@aixah.de (Luis Ressel) Date: Tue, 12 Sep 2017 00:02:37 +0200 Subject: [refpolicy] [PATCH 1/3] logging: Various audit tools (auditctl, ausearch, etc) map their config and logs Message-ID: <20170911220239.1953-1-aranea@aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Since there are few reasons to grant read access to audit logs other than for using ausearch, I've added the map permission directly to the relevant read interfaces. I've checked some parts of the code; most of the mmaps happen inside fdopen(fd, "rm") calls, which can fall back to read(). Hence, we may be able to get away with dontaudits, too. --- policy/modules/system/logging.if | 6 ++++++ policy/modules/system/logging.te | 3 ++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 8633dfc4..44017b51 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -141,6 +141,7 @@ interface(`logging_read_audit_log',` files_search_var($1) read_files_pattern($1, auditd_log_t, auditd_log_t) + allow $1 auditd_log_t:file map; allow $1 auditd_log_t:dir list_dir_perms; ') @@ -338,6 +339,7 @@ interface(`logging_manage_audit_config',` files_search_etc($1) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) + allow $1 auditd_etc_t:file map; ') ######################################## @@ -359,6 +361,7 @@ interface(`logging_manage_audit_log',` files_search_var($1) manage_dirs_pattern($1, auditd_log_t, auditd_log_t) manage_files_pattern($1, auditd_log_t, auditd_log_t) + allow $1 auditd_log_t:file map; ') ######################################## @@ -669,6 +672,7 @@ interface(`logging_read_audit_config',` files_search_etc($1) read_files_pattern($1, auditd_etc_t, auditd_etc_t) + allow $1 auditd_etc_t:file map; allow $1 auditd_etc_t:dir list_dir_perms; ') @@ -1196,9 +1200,11 @@ interface(`logging_admin_audit',` manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) manage_files_pattern($1, auditd_etc_t, auditd_etc_t) + allow $1 auditd_etc_t:file map; manage_dirs_pattern($1, auditd_log_t, auditd_log_t) manage_files_pattern($1, auditd_log_t, auditd_log_t) + allow $1 auditd_log_t:file map; manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 5eeaece1..47280f44 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -104,6 +104,7 @@ allow auditctl_t self:process getcap; allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) +allow auditctl_t auditd_etc_t:file map; allow auditctl_t auditd_etc_t:dir list_dir_perms; # Needed for adding watches @@ -151,7 +152,7 @@ allow auditd_t self:fifo_file rw_fifo_file_perms; allow auditd_t self:tcp_socket create_stream_socket_perms; allow auditd_t auditd_etc_t:dir list_dir_perms; -allow auditd_t auditd_etc_t:file read_file_perms; +allow auditd_t auditd_etc_t:file { read_file_perms map }; manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t auditd_log_t:dir setattr; -- 2.14.1