* [PATCH 0/3] Grant permissions to read fips_enabled
@ 2018-12-08 18:45 David Sugar
2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
` (2 more replies)
0 siblings, 3 replies; 7+ messages in thread
From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw)
To: selinux-refpolicy
Resoving a few issues with processed trying to read
/proc/sys/crypto/fips_enaled and being denied by SELinux policy.
Dave Sugar (3):
Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
Allow kmod to read /proc/sys/crypto/fips_enabled
Allow dbus to access /proc/sys/crypto/fips_enabled
policy/modules/services/dbus.te | 2 ++
policy/modules/services/xserver.te | 1 +
policy/modules/system/modutils.te | 1 +
3 files changed, 4 insertions(+)
--
2.19.2
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar
@ 2018-12-08 18:45 ` David Sugar
2018-12-11 22:54 ` Chris PeBenito
2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar
2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar
2 siblings, 1 reply; 7+ messages in thread
From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw)
To: selinux-refpolicy
type=AVC msg=audit(1543761322.221:211): avc: denied { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc: denied { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/services/xserver.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 7d4c0c1b..425f7bd7 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -709,6 +709,7 @@ allow xserver_t xauth_home_t:file read_file_perms;
manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
logging_log_filetrans(xserver_t, xserver_log_t, file)
+kernel_read_crypto_sysctls(xserver_t)
kernel_read_system_state(xserver_t)
kernel_read_device_sysctls(xserver_t)
kernel_read_modprobe_sysctls(xserver_t)
--
2.19.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 2/3] Allow kmod to read /proc/sys/crypto/fips_enabled
2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar
2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
@ 2018-12-08 18:45 ` David Sugar
2018-12-11 22:54 ` Chris PeBenito
2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar
2 siblings, 1 reply; 7+ messages in thread
From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw)
To: selinux-refpolicy
type=AVC msg=audit(1543769402.716:165): avc: denied { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc: denied { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/system/modutils.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index a8125c17..73471401 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -58,6 +58,7 @@ can_exec(kmod_t, kmod_exec_t)
kernel_load_module(kmod_t)
kernel_request_load_module(kmod_t)
+kernel_read_crypto_sysctls(kmod_t)
kernel_read_system_state(kmod_t)
kernel_read_network_state(kmod_t)
kernel_write_proc_files(kmod_t)
--
2.19.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled
2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar
2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar
@ 2018-12-08 18:45 ` David Sugar
2018-12-11 22:54 ` Chris PeBenito
2 siblings, 1 reply; 7+ messages in thread
From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw)
To: selinux-refpolicy
type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/services/dbus.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4b1e25c6..ea0af022 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
can_exec(system_dbusd_t, dbusd_exec_t)
+kernel_read_crypto_sysctls(system_dbusd_t)
kernel_read_system_state(system_dbusd_t)
kernel_read_kernel_sysctls(system_dbusd_t)
@@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
+kernel_read_crypto_sysctls(session_bus_type)
kernel_read_system_state(session_bus_type)
kernel_read_kernel_sysctls(session_bus_type)
--
2.19.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
@ 2018-12-11 22:54 ` Chris PeBenito
0 siblings, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw)
To: David Sugar, selinux-refpolicy
On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543761322.221:211): avc: denied { search } for
> pid=16826 comm="X" name="crypto" dev="proc" ino=10257
> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543761322.221:211): avc: denied { read } for
> pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543761322.221:211): avc: denied { open } for
> pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for
> pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/services/xserver.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 7d4c0c1b..425f7bd7 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -709,6 +709,7 @@ allow xserver_t xauth_home_t:file read_file_perms;
> manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
> logging_log_filetrans(xserver_t, xserver_log_t, file)
>
> +kernel_read_crypto_sysctls(xserver_t)
> kernel_read_system_state(xserver_t)
> kernel_read_device_sysctls(xserver_t)
> kernel_read_modprobe_sysctls(xserver_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 2/3] Allow kmod to read /proc/sys/crypto/fips_enabled
2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar
@ 2018-12-11 22:54 ` Chris PeBenito
0 siblings, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw)
To: David Sugar, selinux-refpolicy
On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543769402.716:165): avc: denied { search } for
> pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
> scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543769402.716:165): avc: denied { read } for
> pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
> scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769402.716:165): avc: denied { open } for
> pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10285 scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for
> pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10285 scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/system/modutils.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index a8125c17..73471401 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -58,6 +58,7 @@ can_exec(kmod_t, kmod_exec_t)
>
> kernel_load_module(kmod_t)
> kernel_request_load_module(kmod_t)
> +kernel_read_crypto_sysctls(kmod_t)
> kernel_read_system_state(kmod_t)
> kernel_read_network_state(kmod_t)
> kernel_write_proc_files(kmod_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled
2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar
@ 2018-12-11 22:54 ` Chris PeBenito
0 siblings, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw)
To: David Sugar, selinux-refpolicy
On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543769401.029:153): avc: denied { search } for
> pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543769401.029:153): avc: denied { read } for
> pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769401.029:153): avc: denied { open } for
> pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for
> pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> type=AVC msg=audit(1543845518.175:364): avc: denied { search } for
> pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543845518.175:364): avc: denied { read } for
> pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543845518.175:364): avc: denied { open } for
> pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for
> pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/services/dbus.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 4b1e25c6..ea0af022 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
>
> can_exec(system_dbusd_t, dbusd_exec_t)
>
> +kernel_read_crypto_sysctls(system_dbusd_t)
> kernel_read_system_state(system_dbusd_t)
> kernel_read_kernel_sysctls(system_dbusd_t)
>
> @@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
> manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
> userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
>
> +kernel_read_crypto_sysctls(session_bus_type)
> kernel_read_system_state(session_bus_type)
> kernel_read_kernel_sysctls(session_bus_type)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-12-11 23:00 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar
2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
2018-12-11 22:54 ` Chris PeBenito
2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar
2018-12-11 22:54 ` Chris PeBenito
2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar
2018-12-11 22:54 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.