From: aranea@aixah.de (Luis Ressel) Date: Tue, 12 Sep 2017 03:56:13 +0200 Subject: [refpolicy] [PATCH 1/3] logging: Various audit tools (auditctl, ausearch, etc) map their config and logs In-Reply-To: <6868ac53-9202-714a-7655-334b4bb4af45@ieee.org> References: <20170911220239.1953-1-aranea@aixah.de> <6868ac53-9202-714a-7655-334b4bb4af45@ieee.org> Message-ID: <20170912035613.52ec46cb@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 11 Sep 2017 20:16:12 -0400 Chris PeBenito via refpolicy wrote: > On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote: > > Since there are few reasons to grant read access to audit logs other > > than for using ausearch, I've added the map permission directly to > > the relevant read interfaces. > > > > I've checked some parts of the code; most of the mmaps happen inside > > fdopen(fd, "rm") calls, which can fall back to read(). Hence, we > > may be able to get away with dontaudits, too. > > --- > > policy/modules/system/logging.if | 6 ++++++ > > policy/modules/system/logging.te | 3 ++- > > 2 files changed, 8 insertions(+), 1 deletion(-) > > > > diff --git a/policy/modules/system/logging.if > > b/policy/modules/system/logging.if index 8633dfc4..44017b51 100644 > > --- a/policy/modules/system/logging.if > > +++ b/policy/modules/system/logging.if > > @@ -141,6 +141,7 @@ interface(`logging_read_audit_log',` > > > > files_search_var($1) > > read_files_pattern($1, auditd_log_t, auditd_log_t) > > + allow $1 auditd_log_t:file map; > > allow $1 auditd_log_t:dir list_dir_perms; > > ') > > > > @@ -338,6 +339,7 @@ interface(`logging_manage_audit_config',` > > > > files_search_etc($1) > > manage_files_pattern($1, auditd_etc_t, auditd_etc_t) > > + allow $1 auditd_etc_t:file map; > > ') > > > > ######################################## > > @@ -359,6 +361,7 @@ interface(`logging_manage_audit_log',` > > files_search_var($1) > > manage_dirs_pattern($1, auditd_log_t, auditd_log_t) > > manage_files_pattern($1, auditd_log_t, auditd_log_t) > > + allow $1 auditd_log_t:file map; > > ') > > > > ######################################## > > @@ -669,6 +672,7 @@ interface(`logging_read_audit_config',` > > > > files_search_etc($1) > > read_files_pattern($1, auditd_etc_t, auditd_etc_t) > > + allow $1 auditd_etc_t:file map; > > allow $1 auditd_etc_t:dir list_dir_perms; > > ') > > > > @@ -1196,9 +1200,11 @@ interface(`logging_admin_audit',` > > > > manage_dirs_pattern($1, auditd_etc_t, auditd_etc_t) > > manage_files_pattern($1, auditd_etc_t, auditd_etc_t) > > + allow $1 auditd_etc_t:file map; > > > > manage_dirs_pattern($1, auditd_log_t, auditd_log_t) > > manage_files_pattern($1, auditd_log_t, auditd_log_t) > > + allow $1 auditd_log_t:file map; > > > > manage_dirs_pattern($1, auditd_var_run_t, > > auditd_var_run_t) manage_files_pattern($1, auditd_var_run_t, > > auditd_var_run_t) diff --git a/policy/modules/system/logging.te > > b/policy/modules/system/logging.te index 5eeaece1..47280f44 100644 > > --- a/policy/modules/system/logging.te > > +++ b/policy/modules/system/logging.te > > @@ -104,6 +104,7 @@ allow auditctl_t self:process getcap; > > allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; > > > > read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) > > +allow auditctl_t auditd_etc_t:file map; > > allow auditctl_t auditd_etc_t:dir list_dir_perms; > > > > # Needed for adding watches > > @@ -151,7 +152,7 @@ allow auditd_t self:fifo_file > > rw_fifo_file_perms; allow auditd_t self:tcp_socket > > create_stream_socket_perms; > > allow auditd_t auditd_etc_t:dir list_dir_perms; > > -allow auditd_t auditd_etc_t:file read_file_perms; > > +allow auditd_t auditd_etc_t:file { read_file_perms map }; > > > > manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) > > allow auditd_t auditd_log_t:dir setattr; > > I'm waiting on this, pending more testing on dontauditing the map > instead. > I've dug through the code a bit longer, and haven't found anything other than fdopen() calls. I'll submit a patch with dontaudits. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/da1ec117/attachment.bin