From: pebenito@ieee.org (Chris PeBenito)
Date: Mon, 11 Sep 2017 20:16:12 -0400
Subject: [refpolicy] [PATCH 1/3] logging: Various audit tools (auditctl,
 ausearch, etc) map their config and logs
In-Reply-To: <20170911220239.1953-1-aranea@aixah.de>
References: <20170911220239.1953-1-aranea@aixah.de>
Message-ID: <6868ac53-9202-714a-7655-334b4bb4af45@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote:
> Since there are few reasons to grant read access to audit logs other
> than for using ausearch, I've added the map permission directly to the
> relevant read interfaces.
> 
> I've checked some parts of the code; most of the mmaps happen inside
> fdopen(fd, "rm") calls, which can fall back to read(). Hence, we may be
> able to get away with dontaudits, too.
> ---
>   policy/modules/system/logging.if | 6 ++++++
>   policy/modules/system/logging.te | 3 ++-
>   2 files changed, 8 insertions(+), 1 deletion(-)
> 
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index 8633dfc4..44017b51 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -141,6 +141,7 @@ interface(`logging_read_audit_log',`
>   
>   	files_search_var($1)
>   	read_files_pattern($1, auditd_log_t, auditd_log_t)
> +	allow $1 auditd_log_t:file map;
>   	allow $1 auditd_log_t:dir list_dir_perms;
>   ')
>   
> @@ -338,6 +339,7 @@ interface(`logging_manage_audit_config',`
>   
>   	files_search_etc($1)
>   	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
> +	allow $1 auditd_etc_t:file map;
>   ')
>   
>   ########################################
> @@ -359,6 +361,7 @@ interface(`logging_manage_audit_log',`
>   	files_search_var($1)
>   	manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
>   	manage_files_pattern($1, auditd_log_t, auditd_log_t)
> +	allow $1 auditd_log_t:file map;
>   ')
>   
>   ########################################
> @@ -669,6 +672,7 @@ interface(`logging_read_audit_config',`
>   
>   	files_search_etc($1)
>   	read_files_pattern($1, auditd_etc_t, auditd_etc_t)
> +	allow $1 auditd_etc_t:file map;
>   	allow $1 auditd_etc_t:dir list_dir_perms;
>   ')
>   
> @@ -1196,9 +1200,11 @@ interface(`logging_admin_audit',`
>   
>   	manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t)
>   	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
> +	allow $1 auditd_etc_t:file map;
>   
>   	manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
>   	manage_files_pattern($1, auditd_log_t, auditd_log_t)
> +	allow $1 auditd_log_t:file map;
>   
>   	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
>   	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 5eeaece1..47280f44 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -104,6 +104,7 @@ allow auditctl_t self:process getcap;
>   allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
>   
>   read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
> +allow auditctl_t auditd_etc_t:file map;
>   allow auditctl_t auditd_etc_t:dir list_dir_perms;
>   
>   # Needed for adding watches
> @@ -151,7 +152,7 @@ allow auditd_t self:fifo_file rw_fifo_file_perms;
>   allow auditd_t self:tcp_socket create_stream_socket_perms;
>   
>   allow auditd_t auditd_etc_t:dir list_dir_perms;
> -allow auditd_t auditd_etc_t:file read_file_perms;
> +allow auditd_t auditd_etc_t:file { read_file_perms map };
>   
>   manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
>   allow auditd_t auditd_log_t:dir setattr;

I'm waiting on this, pending more testing on dontauditing the map instead.

-- 
Chris PeBenito