All of lore.kernel.org
 help / color / mirror / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>,
	"selinux-refpolicy@vger.kernel.org" 
	<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] yet more tiny stuff
Date: Wed, 23 Jan 2019 18:35:28 -0500	[thread overview]
Message-ID: <b86eaf41-ce56-4d3b-f10e-59ba726d77d6@ieee.org> (raw)
In-Reply-To: <20190121225928.GA2428@xev>

On 1/21/19 5:59 PM, Russell Coker wrote:
> I think this should be self-explanatory.  I've added an audit trace for the
> sys_ptrace access that was previously rejected.
> 
> 
> Here is the audit log for sys_ptrace:
> type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
> type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
> type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
> type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
> 
> Index: refpolicy-2.20180701/policy/modules/apps/gpg.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/apps/gpg.te
> +++ refpolicy-2.20180701/policy/modules/apps/gpg.te
> @@ -184,11 +184,6 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> -	cron_system_entry(gpg_t, gpg_exec_t)
> -	cron_read_system_job_tmp_files(gpg_t)
> -')
> -
> -optional_policy(`
>   	xserver_use_xdm_fds(gpg_t)
>   	xserver_rw_xdm_pipes(gpg_t)
>   ')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -520,6 +520,7 @@ corenet_udp_sendrecv_all_ports(system_cr
>   dev_getattr_all_blk_files(system_cronjob_t)
>   dev_getattr_all_chr_files(system_cronjob_t)
>   dev_getattr_mtrr_dev(system_cronjob_t)
> +dev_read_rand(system_cronjob_t)
>   dev_read_urand(system_cronjob_t)
>   dev_read_sysfs(system_cronjob_t)
>   # for checkarray to write to sync_action
> @@ -551,6 +552,7 @@ files_read_var_lib_symlinks(system_cronj
>   mls_file_read_to_clearance(system_cronjob_t)
>   
>   init_domtrans_script(system_cronjob_t)
> +init_read_generic_units_links(system_cronjob_t)
>   init_read_utmp(system_cronjob_t)
>   init_use_script_fds(system_cronjob_t)
>   
> @@ -623,6 +625,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	gpg_exec(system_cronjob_t)
> +')
> +
> +optional_policy(`
>   	inn_manage_log(system_cronjob_t)
>   	inn_manage_pid(system_cronjob_t)
>   	inn_read_config(system_cronjob_t)
> Index: refpolicy-2.20180701/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/init.if
> +++ refpolicy-2.20180701/policy/modules/system/init.if
> @@ -2962,6 +2962,25 @@ interface(`init_search_units',`
>   
>   ########################################
>   ## <summary>
> +##	Read systemd unit links
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_read_generic_units_links',`
> +	gen_require(`
> +		type systemd_unit_t;
> +		class service status;
> +	')
> +
> +	allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Get status of generic systemd units.
>   ## </summary>
>   ## <param name="domain">
> Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
> +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
> @@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket creat
>   allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
>   
>   manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
> -files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)
> +manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
> +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file })
>   
>   kernel_read_network_state(irqbalance_t)
>   kernel_read_system_state(irqbalance_t)
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
>   # Local policy
>   #
>   
> -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> +# sys_ptrace is for systemctl
> +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
>   # systemctl asks for net_admin
>   dontaudit logrotate_t self:capability net_admin;
>   allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };

Merged.

-- 
Chris PeBenito

      reply	other threads:[~2019-01-24  0:02 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-21 22:59 [PATCH] yet more tiny stuff Russell Coker
2019-01-23 23:35 ` Chris PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b86eaf41-ce56-4d3b-f10e-59ba726d77d6@ieee.org \
    --to=pebenito@ieee.org \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.