From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 23 Sep 2017 14:14:49 -0400 Subject: [refpolicy] [PATCH 1/1] label /etc/mcelog/mcelog.setup correctly (for RHEL) In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B7BE53@Exchange10.columbia.tresys.com> References: <1B50C12ACFF4CB42B90D2581155DF50205B7BE53@Exchange10.columbia.tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/21/2017 01:02 AM, David Sugar via refpolicy wrote: > I am seeing the following denials when mcelog.service is attempting to execute /etc/mcelog/mcelog.setup (on RHEL 7). It should be labeled bin_t. > > Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { execute } for pid=626 comm="(og.setup)" name="mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file > Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { read open } for pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file > Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.859:28): avc: denied { execute_no_trans } for pid=626 comm="(og.setup)" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file > Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.859:28): arch=c000003e syscall=59 success=yes exit=0 a0=55a0ddd00260 a1=55a0ddcd1be0 a2=55a0ddd02e90 a3=3 items=3 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null) > Sep 21 02:45:50 localhost audit: type=EXECVE msg=audit(1505961383.859:28): argc=2 a0="/bin/sh" a1="/etc/mcelog/mcelog.setup" > Sep 21 02:45:50 localhost audit: type=PATH msg=audit(1505961383.859:28): item=0 name="/etc/mcelog/mcelog.setup" inode=718731 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:mcelog_etc_t:s0 objtype=NORMAL > Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.862:29): avc: denied { ioctl } for pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file > Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.862:29): arch=c000003e syscall=16 success=no exit=-25 a0=3 a1=5401 a2=7ffec57f28f0 a3=7ffec57f2690 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null) > Sep 21 02:45:50 localhost audit: type=AVC msg=audit(1505961383.867:30): avc: denied { getattr } for pid=626 comm="mcelog.setup" path="/etc/mcelog/mcelog.setup" dev="dm-0" ino=718731 scontext=system_u:system_r:init_t:s0 tcontext=system_u:object_r:mcelog_etc_t:s0 tclass=file > Sep 21 02:45:50 localhost audit: type=SYSCALL msg=audit(1505961383.867:30): arch=c000003e syscall=5 success=yes exit=0 a0=ff a1=7ffec57f2890 a2=7ffec57f2890 a3=7ffec57f25a0 items=0 ppid=1 pid=626 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mcelog.setup" exe="/usr/bin/bash" subj=system_u:system_r:init_t:s0 key=(null) > > Signed-off-by: Dave Sugar > --- > policy/modules/kernel/corecommands.fc | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc > index 1dff0199..cd2f8792 100644 > --- a/policy/modules/kernel/corecommands.fc > +++ b/policy/modules/kernel/corecommands.fc > @@ -58,6 +58,7 @@ ifdef(`distro_redhat',` > /etc/mcelog/.*\.local -- gen_context(system_u:object_r:bin_t,s0) > > ifdef(`distro_redhat',` > +/etc/mcelog/mcelog.setup -- gen_context(system_u:object_r:bin_t,s0) > /etc/mcelog/triggers(/.*)? gen_context(system_u:object_r:bin_t,s0) > ') Merged. -- Chris PeBenito