From: dsugar@tresys.com (David Sugar)
Date: Thu, 21 Sep 2017 05:02:15 +0000
Subject: [refpolicy] [PATCH 1/1] label /etc/mcelog/mcelog.setup correctly
	(for RHEL)
Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B7BE53@Exchange10.columbia.tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

I am seeing the following denials when mcelog.service is attempting to execute /etc/mcelog/mcelog.setup (on RHEL 7).  It should be labeled bin_t.

Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { execute } for  pid=626 comm="(og.setup)" name="mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { read open } for  pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc:  denied  { execute_no_trans } for  pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.859:28): arch=c000003e syscall=59 success=yes exit=0 a0=55a0ddd00260 a1=55a0ddcd1be0 a2=55a0ddd02e90 a3=3 items=3 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Sep 21 02:45:50 localhost audit: type=EXECVE msg=audit(1505961383.859:28): argc=2 a0="/bin/sh" a1="/etc/mcelog/mcelog.setup"
Sep 21 02:45:50 localhost audit: type=PATH msg=audit(1505961383.859:28): item=0 name="/etc/mcelog/mcelog.setup" inode=718731 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mcelog_etc_t:s0 objtype=NORMAL
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.862:29): avc:  denied  { ioctl } for  pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.862:29): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7ffec57f28f0 a3=7ffec57f2690 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)
Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.867:30): avc:  denied  { getattr } for  pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file
Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.867:30): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7ffec57f2890 a2=7ffec57f2890 a3=7ffec57f25a0 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null)

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/kernel/corecommands.fc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index 1dff0199..cd2f8792 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -58,6 +58,7 @@ ifdef(`distro_redhat',`
 /etc/mcelog/.*\.local		--	gen_context(system_u:object_r:bin_t,s0)
 
 ifdef(`distro_redhat',`
+/etc/mcelog/mcelog.setup	--	gen_context(system_u:object_r:bin_t,s0)
 /etc/mcelog/triggers(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 ')
 
-- 
2.13.5