[refpolicy] [PATCH 0/13] Numerous dontaudits

[refpolicy] [PATCH 0/13] Numerous dontaudits

[Sven Vermeulen]

This set includes quite a few dontaudit updates on the policy that we have
running in Gentoo since the 20110726 policies and without feedback from
users that they are incorrect or that I'm missing something.

Now handling dontaudits isn't easy, it's often much easier to find out why
you need to allow something (as the application otherwise breaks) whereas
finding denials that do not seem to have any influence on the system is a
lot harder to pin down.

But still, I guess it's okay to bring out these dontaudits in refpolicy;
either others can find flaws or confirm that they too dontaudit these
settings.

[refpolicy] [PATCH 1/13] Adding dontaudit interfaces for files module

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/files.if |   36 ++++++++++++++++++++++++++++++++++++
 1 files changed, 36 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
index deb24b4..7df46ac 100644
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@@ -1482,6 +1482,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
 
 ########################################
 ## <summary>
+##     Do not audit write attempts on mount points.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to ignore write attempts from
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_write_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+       
+	dontaudit $1 mountpoint:dir write;
+')     
+
+########################################
+## <summary>
+##     Do not audit setattr attempts on mount points.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain to ignore setattr attempts from
+##     </summary>
+## </param>
+#
+interface(`files_dontaudit_setattr_all_mountpoints',`
+	gen_require(`
+		attribute mountpoint;
+	')
+
+	dontaudit $1 mountpoint:dir setattr;
+')
+
+########################################
+## <summary>
 ##	List the contents of the root directory.
 ## </summary>
 ## <param name="domain">
-- 
1.7.3.4

[refpolicy] [PATCH 2/13] Adding dontaudit on mozilla

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mozilla.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/mozilla.te b/mozilla.te
index d3510c2..7bb89fe 100644
--- a/mozilla.te
+++ b/mozilla.te
@@ -148,6 +148,7 @@ files_read_var_files(mozilla_t)
 files_read_var_symlinks(mozilla_t)
 files_dontaudit_getattr_boot_dirs(mozilla_t)
 
+fs_dontaudit_getattr_all_fs(mozilla_t)
 fs_search_auto_mountpoints(mozilla_t)
 fs_list_inotifyfs(mozilla_t)
 fs_rw_tmpfs_files(mozilla_t)
-- 
1.7.3.4

[refpolicy] [PATCH 3/13] Adding dontaudit on mta

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 mta.if |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/mta.if b/mta.if
index 343cee3..509bcea 100644
--- a/mta.if
+++ b/mta.if
@@ -174,6 +174,8 @@ interface(`mta_role',`
 	allow mta_user_agent $2:fd use;
 	allow mta_user_agent $2:process sigchld;
 	allow mta_user_agent $2:fifo_file { read write };
+
+	dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
 ')
 
 ########################################
-- 
1.7.3.4

[refpolicy] [PATCH 4/13] Adding dontaudits for portage domains

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 portage.te |    6 ++++++
 1 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/portage.te b/portage.te
index 4735035..88eac51 100644
--- a/portage.te
+++ b/portage.te
@@ -146,6 +146,8 @@ optional_policy(`
 allow portage_t self:process { setfscreate setexec };
 # - kill for mysql merging, at least
 allow portage_t self:capability { sys_nice kill setfcap };
+dontaudit portage_t self:capability { dac_read_search };
+dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
 
 # user post-sync scripts
 can_exec(portage_t, portage_conf_t)
@@ -161,6 +163,7 @@ rsync_entry_domtrans(portage_t, portage_fetch_t)
 allow portage_fetch_t portage_t:fd use;
 allow portage_fetch_t portage_t:fifo_file rw_file_perms;
 allow portage_fetch_t portage_t:process sigchld;
+dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
 
 # transition to sandbox for compiling
 domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
@@ -169,10 +172,12 @@ allow portage_sandbox_t portage_t:fd use;
 allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
 allow portage_sandbox_t portage_t:process sigchld;
 allow portage_sandbox_t self:process ptrace;
+dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
 
 # run scripts out of the build directory
 can_exec(portage_t, portage_tmp_t)
 
+kernel_dontaudit_request_load_module(portage_t)
 # merging baselayout will need this:
 kernel_write_proc_files(portage_t)
 
@@ -288,6 +293,7 @@ files_search_var_lib(portage_fetch_t)
 files_dontaudit_search_pids(portage_fetch_t)
 
 logging_list_logs(portage_fetch_t)
+logging_dontaudit_search_logs(portage_fetch_t)
 
 term_search_ptys(portage_fetch_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 5/6] Adding dontaudit for qemu

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 qemu.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/qemu.te b/qemu.te
index 9cf9992..a75f91a 100644
--- a/qemu.te
+++ b/qemu.te
@@ -49,6 +49,7 @@ role system_r types qemu_t;
 #
 # qemu local policy
 #
+dontaudit qemu_t self:socket create;
 
 storage_raw_write_removable_device(qemu_t)
 storage_raw_read_removable_device(qemu_t)
-- 
1.7.3.4

[refpolicy] [PATCH 6/13] Adding dontaudit interfaces in sysnet

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/sysnetwork.if |   19 +++++++++++++++++++
 1 files changed, 19 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
index 363e98d..58a7d89 100644
--- a/policy/modules/system/sysnetwork.if
+++ b/policy/modules/system/sysnetwork.if
@@ -66,6 +66,25 @@ interface(`sysnet_dontaudit_use_dhcpc_fds',`
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read/write to the 
+##      dhcp unix stream socket descriptors.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',`
+	gen_require(`
+		type dhcpc_t;
+	')
+
+	dontaudit $1 dhcpc_t:unix_stream_socket { read write };
+')
+
+########################################
+## <summary>
 ##	Send a SIGCHLD signal to the dhcp client.
 ## </summary>
 ## <param name="domain">
-- 
1.7.3.4

[refpolicy] [PATCH 7/13] Adding dontaudits for xserver

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/xserver.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index e92dddf..f5ffb79 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -370,6 +370,8 @@ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xdm_t, xserver_log_t, file)
 
+domain_dontaudit_search_all_domains_state(xserver_t)
+
 kernel_read_system_state(xdm_t)
 kernel_read_kernel_sysctls(xdm_t)
 kernel_read_net_sysctls(xdm_t)
-- 
1.7.3.4

[refpolicy] [PATCH 8/13] Do not audit usage of a leaked file descriptor

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 dbus.if |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/dbus.if b/dbus.if
index 1a1becd..fb4bf82 100644
--- a/dbus.if
+++ b/dbus.if
@@ -218,6 +218,8 @@ interface(`dbus_session_bus_client',`
 
 	# For connecting to the bus
 	allow $1 session_bus_type:unix_stream_socket connectto;
+
+	dontaudit $1 session_bus_type:fd use;
 ')
 
 ########################################
-- 
1.7.3.4

[refpolicy] [PATCH 9/13] Do not audit rw on dhcp client unix_stream_sockets

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/hostname.te |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index c310775..5307361 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
 
 miscfiles_read_localization(hostname_t)
 
+sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
 sysnet_read_config(hostname_t)
 sysnet_dns_name_resolve(hostname_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 10/13] Adding dontaudits for mount

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/mount.te |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index fba350b..57c2a00 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -89,7 +89,8 @@ files_read_isid_type_files(mount_t)
 # For reading cert files
 files_read_usr_files(mount_t)
 files_list_mnt(mount_t)
-files_dontaudit_write_root_dirs(mount_t)
+files_dontaudit_write_all_mountpoints(mount_t)
+files_dontaudit_setattr_all_mountpoints(mount_t)
 
 fs_getattr_xattr_fs(mount_t)
 fs_getattr_cifs(mount_t)
@@ -113,6 +114,7 @@ storage_raw_read_removable_device(mount_t)
 storage_raw_write_removable_device(mount_t)
 
 term_use_all_terms(mount_t)
+term_dontaudit_manage_pty_dirs(mount_t)
 
 auth_use_nsswitch(mount_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 11/13] Adding dontaudits for selinuxutil

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/selinuxutil.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
index ab78aea..bc6e9b7 100644
--- a/policy/modules/system/selinuxutil.te
+++ b/policy/modules/system/selinuxutil.te
@@ -234,6 +234,8 @@ allow newrole_t self:unix_dgram_socket sendto;
 allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 
+dontaudit newrole_t self:capability dac_read_search;
+
 read_files_pattern(newrole_t, default_context_t, default_context_t)
 read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 12/13] Adding dontaudit for sudo

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/sudo.if |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index 6e1de7a..095a505 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -136,6 +136,7 @@ template(`sudo_role_template',`
 	userdom_use_user_terminals($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_user_home_content($1_sudo_t)
+	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
 
 	ifdef(`hide_broken_symptoms', `
 		dontaudit $1_sudo_t $3:socket_class_set { read write };
-- 
1.7.3.4

[refpolicy] [PATCH 13/13] Adding dontaudits for raid

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 raid.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/raid.te b/raid.te
index 3fd46f7..458d42e 100644
--- a/raid.te
+++ b/raid.te
@@ -57,6 +57,7 @@ domain_use_interactive_fds(mdadm_t)
 
 files_read_etc_files(mdadm_t)
 files_read_etc_runtime_files(mdadm_t)
+files_dontaudit_getattr_all_files(mdadm_t)
 
 fs_search_auto_mountpoints(mdadm_t)
 fs_dontaudit_list_tmpfs(mdadm_t)
@@ -70,6 +71,7 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
 storage_read_scsi_generic(mdadm_t)
 
 term_dontaudit_list_ptys(mdadm_t)
+term_dontaudit_use_unallocated_ttys(mdadm_t)
 
 init_dontaudit_getattr_initctl(mdadm_t)
 
-- 
1.7.3.4

[refpolicy] [PATCH 3/13] Adding dontaudit on mta

[Christopher J. PeBenito]

On 03/22/12 16:08, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  mta.if |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/mta.if b/mta.if
> index 343cee3..509bcea 100644
> --- a/mta.if
> +++ b/mta.if
> @@ -174,6 +174,8 @@ interface(`mta_role',`
>  	allow mta_user_agent $2:fd use;
>  	allow mta_user_agent $2:process sigchld;
>  	allow mta_user_agent $2:fifo_file { read write };
> +
> +	dontaudit mta_user_agent $1:unix_stream_socket rw_socket_perms;
>  ')
>  
>  ########################################

Does not work. $1 is a role.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/13] Adding dontaudit interfaces for files module

[Christopher J. PeBenito]

On 03/22/12 16:06, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/files.if |   36 ++++++++++++++++++++++++++++++++++++
>  1 files changed, 36 insertions(+), 0 deletions(-)

Merged.  There were whitespace errors, please be mindful.  Moved the dontaudit_setattr up in the file.

> diff --git a/policy/modules/kernel/files.if b/policy/modules/kernel/files.if
> index deb24b4..7df46ac 100644
> --- a/policy/modules/kernel/files.if
> +++ b/policy/modules/kernel/files.if
> @@ -1482,6 +1482,42 @@ interface(`files_dontaudit_list_all_mountpoints',`
>  
>  ########################################
>  ## <summary>
> +##     Do not audit write attempts on mount points.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain to ignore write attempts from
> +##     </summary>
> +## </param>
> +#
> +interface(`files_dontaudit_write_all_mountpoints',`
> +	gen_require(`
> +		attribute mountpoint;
> +	')
> +       
> +	dontaudit $1 mountpoint:dir write;
> +')     
> +
> +########################################
> +## <summary>
> +##     Do not audit setattr attempts on mount points.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain to ignore setattr attempts from
> +##     </summary>
> +## </param>
> +#
> +interface(`files_dontaudit_setattr_all_mountpoints',`
> +	gen_require(`
> +		attribute mountpoint;
> +	')
> +
> +	dontaudit $1 mountpoint:dir setattr;
> +')
> +
> +########################################
> +## <summary>
>  ##	List the contents of the root directory.
>  ## </summary>
>  ## <param name="domain">


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 6/13] Adding dontaudit interfaces in sysnet

[Christopher J. PeBenito]

On 03/22/12 16:10, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/sysnetwork.if |   19 +++++++++++++++++++
>  1 files changed, 19 insertions(+), 0 deletions(-)

Merged.  Fixed whitespace.

> diff --git a/policy/modules/system/sysnetwork.if b/policy/modules/system/sysnetwork.if
> index 363e98d..58a7d89 100644
> --- a/policy/modules/system/sysnetwork.if
> +++ b/policy/modules/system/sysnetwork.if
> @@ -66,6 +66,25 @@ interface(`sysnet_dontaudit_use_dhcpc_fds',`
>  
>  ########################################
>  ## <summary>
> +##	Do not audit attempts to read/write to the 
> +##      dhcp unix stream socket descriptors.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`sysnet_dontaudit_rw_dhcpc_unix_stream_sockets',`
> +	gen_require(`
> +		type dhcpc_t;
> +	')
> +
> +	dontaudit $1 dhcpc_t:unix_stream_socket { read write };
> +')
> +
> +########################################
> +## <summary>
>  ##	Send a SIGCHLD signal to the dhcp client.
>  ## </summary>
>  ## <param name="domain">


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 7/13] Adding dontaudits for xserver

[Christopher J. PeBenito]

On 03/22/12 16:10, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/services/xserver.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index e92dddf..f5ffb79 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -370,6 +370,8 @@ manage_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
>  manage_fifo_files_pattern(xdm_t, xserver_log_t, xserver_log_t)
>  logging_log_filetrans(xdm_t, xserver_log_t, file)
>  
> +domain_dontaudit_search_all_domains_state(xserver_t)
> +
>  kernel_read_system_state(xdm_t)
>  kernel_read_kernel_sysctls(xdm_t)
>  kernel_read_net_sysctls(xdm_t)

This is in xdm_t's section.  It it supposed to be xdm_t or is it supposed to be xserver_t?  In either case, it needs to move.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 9/13] Do not audit rw on dhcp client unix_stream_sockets

[Christopher J. PeBenito]

On 03/22/12 16:12, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/hostname.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
> index c310775..5307361 100644
> --- a/policy/modules/system/hostname.te
> +++ b/policy/modules/system/hostname.te
> @@ -51,6 +51,7 @@ logging_send_syslog_msg(hostname_t)
>  
>  miscfiles_read_localization(hostname_t)
>  
> +sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
>  sysnet_read_config(hostname_t)
>  sysnet_dns_name_resolve(hostname_t)
  
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 10/13] Adding dontaudits for mount

[Christopher J. PeBenito]

On 03/22/12 16:12, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/mount.te |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index fba350b..57c2a00 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -89,7 +89,8 @@ files_read_isid_type_files(mount_t)
>  # For reading cert files
>  files_read_usr_files(mount_t)
>  files_list_mnt(mount_t)
> -files_dontaudit_write_root_dirs(mount_t)
> +files_dontaudit_write_all_mountpoints(mount_t)
> +files_dontaudit_setattr_all_mountpoints(mount_t)
>  
>  fs_getattr_xattr_fs(mount_t)
>  fs_getattr_cifs(mount_t)
> @@ -113,6 +114,7 @@ storage_raw_read_removable_device(mount_t)
>  storage_raw_write_removable_device(mount_t)
>  
>  term_use_all_terms(mount_t)
> +term_dontaudit_manage_pty_dirs(mount_t)
>  
>  auth_use_nsswitch(mount_t)
  
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/13] Adding dontaudit on mozilla

[Christopher J. PeBenito]

On 03/22/12 16:07, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  mozilla.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/mozilla.te b/mozilla.te
> index d3510c2..7bb89fe 100644
> --- a/mozilla.te
> +++ b/mozilla.te
> @@ -148,6 +148,7 @@ files_read_var_files(mozilla_t)
>  files_read_var_symlinks(mozilla_t)
>  files_dontaudit_getattr_boot_dirs(mozilla_t)
>  
> +fs_dontaudit_getattr_all_fs(mozilla_t)
>  fs_search_auto_mountpoints(mozilla_t)
>  fs_list_inotifyfs(mozilla_t)
>  fs_rw_tmpfs_files(mozilla_t)

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/13] Adding dontaudits for portage domains

[Christopher J. PeBenito]

On 03/22/12 16:08, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  portage.te |    6 ++++++
>  1 files changed, 6 insertions(+), 0 deletions(-)

Merged.

> diff --git a/portage.te b/portage.te
> index 4735035..88eac51 100644
> --- a/portage.te
> +++ b/portage.te
> @@ -146,6 +146,8 @@ optional_policy(`
>  allow portage_t self:process { setfscreate setexec };
>  # - kill for mysql merging, at least
>  allow portage_t self:capability { sys_nice kill setfcap };
> +dontaudit portage_t self:capability { dac_read_search };
> +dontaudit portage_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  # user post-sync scripts
>  can_exec(portage_t, portage_conf_t)
> @@ -161,6 +163,7 @@ rsync_entry_domtrans(portage_t, portage_fetch_t)
>  allow portage_fetch_t portage_t:fd use;
>  allow portage_fetch_t portage_t:fifo_file rw_file_perms;
>  allow portage_fetch_t portage_t:process sigchld;
> +dontaudit portage_fetch_t portage_devpts_t:chr_file { read write };
>  
>  # transition to sandbox for compiling
>  domain_trans(portage_t, portage_exec_t, portage_sandbox_t)
> @@ -169,10 +172,12 @@ allow portage_sandbox_t portage_t:fd use;
>  allow portage_sandbox_t portage_t:fifo_file rw_file_perms;
>  allow portage_sandbox_t portage_t:process sigchld;
>  allow portage_sandbox_t self:process ptrace;
> +dontaudit portage_sandbox_t self:netlink_route_socket rw_netlink_socket_perms;
>  
>  # run scripts out of the build directory
>  can_exec(portage_t, portage_tmp_t)
>  
> +kernel_dontaudit_request_load_module(portage_t)
>  # merging baselayout will need this:
>  kernel_write_proc_files(portage_t)
>  
> @@ -288,6 +293,7 @@ files_search_var_lib(portage_fetch_t)
>  files_dontaudit_search_pids(portage_fetch_t)
>  
>  logging_list_logs(portage_fetch_t)
> +logging_dontaudit_search_logs(portage_fetch_t)
>  
>  term_search_ptys(portage_fetch_t)
>  


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 5/6] Adding dontaudit for qemu

[Christopher J. PeBenito]

On 03/22/12 16:09, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  qemu.te |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/qemu.te b/qemu.te
> index 9cf9992..a75f91a 100644
> --- a/qemu.te
> +++ b/qemu.te
> @@ -49,6 +49,7 @@ role system_r types qemu_t;
>  #
>  # qemu local policy
>  #
> +dontaudit qemu_t self:socket create;
>  
>  storage_raw_write_removable_device(qemu_t)
>  storage_raw_read_removable_device(qemu_t)

I'm more interesting in finding out what kind of socket this is, so we can create an appropriate object class.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 8/13] Do not audit usage of a leaked file descriptor

[Christopher J. PeBenito]

On 03/22/12 16:11, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  dbus.if |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/dbus.if b/dbus.if
> index 1a1becd..fb4bf82 100644
> --- a/dbus.if
> +++ b/dbus.if
> @@ -218,6 +218,8 @@ interface(`dbus_session_bus_client',`
>  
>  	# For connecting to the bus
>  	allow $1 session_bus_type:unix_stream_socket connectto;
> +
> +	dontaudit $1 session_bus_type:fd use;
>  ')
>  
>  ########################################

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 13/13] Adding dontaudits for raid

[Christopher J. PeBenito]

On 03/22/12 16:14, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  raid.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)

Merged.

> diff --git a/raid.te b/raid.te
> index 3fd46f7..458d42e 100644
> --- a/raid.te
> +++ b/raid.te
> @@ -57,6 +57,7 @@ domain_use_interactive_fds(mdadm_t)
>  
>  files_read_etc_files(mdadm_t)
>  files_read_etc_runtime_files(mdadm_t)
> +files_dontaudit_getattr_all_files(mdadm_t)
>  
>  fs_search_auto_mountpoints(mdadm_t)
>  fs_dontaudit_list_tmpfs(mdadm_t)
> @@ -70,6 +71,7 @@ storage_dev_filetrans_fixed_disk(mdadm_t)
>  storage_read_scsi_generic(mdadm_t)
>  
>  term_dontaudit_list_ptys(mdadm_t)
> +term_dontaudit_use_unallocated_ttys(mdadm_t)
>  
>  init_dontaudit_getattr_initctl(mdadm_t)
>  


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 12/13] Adding dontaudit for sudo

[Christopher J. PeBenito]

On 03/22/12 16:13, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/sudo.if |    1 +
>  1 files changed, 1 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
> index 6e1de7a..095a505 100644
> --- a/policy/modules/admin/sudo.if
> +++ b/policy/modules/admin/sudo.if
> @@ -136,6 +136,7 @@ template(`sudo_role_template',`
>  	userdom_use_user_terminals($1_sudo_t)
>  	# for some PAM modules and for cwd
>  	userdom_dontaudit_search_user_home_content($1_sudo_t)
> +	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
>  
>  	ifdef(`hide_broken_symptoms', `
>  		dontaudit $1_sudo_t $3:socket_class_set { read write };

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 11/13] Adding dontaudits for selinuxutil

[Christopher J. PeBenito]

On 03/22/12 16:13, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/selinuxutil.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/selinuxutil.te b/policy/modules/system/selinuxutil.te
> index ab78aea..bc6e9b7 100644
> --- a/policy/modules/system/selinuxutil.te
> +++ b/policy/modules/system/selinuxutil.te
> @@ -234,6 +234,8 @@ allow newrole_t self:unix_dgram_socket sendto;
>  allow newrole_t self:unix_stream_socket { create_stream_socket_perms connectto };
>  allow newrole_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
>  
> +dontaudit newrole_t self:capability dac_read_search;
> +
>  read_files_pattern(newrole_t, default_context_t, default_context_t)
>  read_lnk_files_pattern(newrole_t, default_context_t, default_context_t)
  
On the fence with this one.  It already has dac_override, which is a superset of dac_read_search.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 5/6] Adding dontaudit for qemu

[Sven Vermeulen]

On Fri, Apr 20, 2012 at 10:12 PM, Christopher J. PeBenito
<cpebenito@tresys.com> wrote:
>> +dontaudit qemu_t self:socket create;
>
> I'm more interesting in finding out what kind of socket this is, so we can create an appropriate object class.

Ok, trying to figure that out now. No luck with just querying though:

Apr 21 17:53:04 hpl kernel: [90637.251881] type=1400
audit(1335023584.573:457): avc:  granted  { create } for  pid=28083
comm="qemu-system-x86" scontext=staff_u:sysadm_r:qemu_t
tcontext=staff_u:sysadm_r:qemu_t tclass=socket

Doesn't give much. An lsof shows:

# lsof -p 28083
qemu-syst 28083 swift    8u     unix 0x0000000000000000         0t0
80203 socket
qemu-syst 28083 swift    9u     unix 0x0000000000000000         0t0
80204 /tmp/vde.28083-00003

but I don't know how to find out more about this socket. It is related
to qemu's VDE networking virtualization (if I drop the "-net
vde,vlan=0" I don't get the attempt to create a socket) but doesn't
seem to be necessary.

/tmp/vde.28083-00003 is of type vde_tmp_t (cfr. patch/RFC regarding
VDE support sent a while ago)

If anyone know of a good resource that I can read on debugging
sockets, I'd love to hear about it.

Wkr,
  Sven Vermeulen

[refpolicy] [PATCH 5/6] Adding dontaudit for qemu

[Christopher J. PeBenito]

On 04/21/12 12:12, Sven Vermeulen wrote:
> On Fri, Apr 20, 2012 at 10:12 PM, Christopher J. PeBenito
> <cpebenito@tresys.com> wrote:
>>> +dontaudit qemu_t self:socket create;
>>
>> I'm more interesting in finding out what kind of socket this is, so we can create an appropriate object class.
> 
> Ok, trying to figure that out now. No luck with just querying though:
> 
> Apr 21 17:53:04 hpl kernel: [90637.251881] type=1400
> audit(1335023584.573:457): avc:  granted  { create } for  pid=28083
> comm="qemu-system-x86" scontext=staff_u:sysadm_r:qemu_t
> tcontext=staff_u:sysadm_r:qemu_t tclass=socket
> 
> Doesn't give much. An lsof shows:
> 
> # lsof -p 28083
> qemu-syst 28083 swift    8u     unix 0x0000000000000000         0t0
> 80203 socket
> qemu-syst 28083 swift    9u     unix 0x0000000000000000         0t0
> 80204 /tmp/vde.28083-00003
> 
> but I don't know how to find out more about this socket. It is related
> to qemu's VDE networking virtualization (if I drop the "-net
> vde,vlan=0" I don't get the attempt to create a socket) but doesn't
> seem to be necessary.
> 
> /tmp/vde.28083-00003 is of type vde_tmp_t (cfr. patch/RFC regarding
> VDE support sent a while ago)
> 
> If anyone know of a good resource that I can read on debugging
> sockets, I'd love to hear about it.

The audit subsystem's messages might be more useful.  The last time something like this came around, I ended up looking at the code itself.  It shouldn't be too bad to grep through the code for socket() calls and see what the socket domain/type is.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com