* [PATCH 0/3] Grant permissions to read fips_enabled @ 2018-12-08 18:45 David Sugar 2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar ` (2 more replies) 0 siblings, 3 replies; 7+ messages in thread From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw) To: selinux-refpolicy Resoving a few issues with processed trying to read /proc/sys/crypto/fips_enaled and being denied by SELinux policy. Dave Sugar (3): Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled Allow kmod to read /proc/sys/crypto/fips_enabled Allow dbus to access /proc/sys/crypto/fips_enabled policy/modules/services/dbus.te | 2 ++ policy/modules/services/xserver.te | 1 + policy/modules/system/modutils.te | 1 + 3 files changed, 4 insertions(+) -- 2.19.2 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled 2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar @ 2018-12-08 18:45 ` David Sugar 2018-12-11 22:54 ` Chris PeBenito 2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar 2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar 2 siblings, 1 reply; 7+ messages in thread From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw) To: selinux-refpolicy type=AVC msg=audit(1543761322.221:211): avc: denied { search } for pid=16826 comm="X" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543761322.221:211): avc: denied { read } for pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543761322.221:211): avc: denied { open } for pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> --- policy/modules/services/xserver.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te index 7d4c0c1b..425f7bd7 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -709,6 +709,7 @@ allow xserver_t xauth_home_t:file read_file_perms; manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) logging_log_filetrans(xserver_t, xserver_log_t, file) +kernel_read_crypto_sysctls(xserver_t) kernel_read_system_state(xserver_t) kernel_read_device_sysctls(xserver_t) kernel_read_modprobe_sysctls(xserver_t) -- 2.19.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled 2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar @ 2018-12-11 22:54 ` Chris PeBenito 0 siblings, 0 replies; 7+ messages in thread From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw) To: David Sugar, selinux-refpolicy On 12/8/18 1:45 PM, David Sugar wrote: > type=AVC msg=audit(1543761322.221:211): avc: denied { search } for > pid=16826 comm="X" name="crypto" dev="proc" ino=10257 > scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 > type=AVC msg=audit(1543761322.221:211): avc: denied { read } for > pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258 > scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1543761322.221:211): avc: denied { open } for > pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc" > ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1543761322.222:212): avc: denied { getattr } for > pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc" > ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > > Signed-off-by: Dave Sugar <dsugar@tresys.com> > --- > policy/modules/services/xserver.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te > index 7d4c0c1b..425f7bd7 100644 > --- a/policy/modules/services/xserver.te > +++ b/policy/modules/services/xserver.te > @@ -709,6 +709,7 @@ allow xserver_t xauth_home_t:file read_file_perms; > manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t) > logging_log_filetrans(xserver_t, xserver_log_t, file) > > +kernel_read_crypto_sysctls(xserver_t) > kernel_read_system_state(xserver_t) > kernel_read_device_sysctls(xserver_t) > kernel_read_modprobe_sysctls(xserver_t) Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 2/3] Allow kmod to read /proc/sys/crypto/fips_enabled 2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar 2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar @ 2018-12-08 18:45 ` David Sugar 2018-12-11 22:54 ` Chris PeBenito 2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar 2 siblings, 1 reply; 7+ messages in thread From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw) To: selinux-refpolicy type=AVC msg=audit(1543769402.716:165): avc: denied { search } for pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543769402.716:165): avc: denied { read } for pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769402.716:165): avc: denied { open } for pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:kmod_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> --- policy/modules/system/modutils.te | 1 + 1 file changed, 1 insertion(+) diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te index a8125c17..73471401 100644 --- a/policy/modules/system/modutils.te +++ b/policy/modules/system/modutils.te @@ -58,6 +58,7 @@ can_exec(kmod_t, kmod_exec_t) kernel_load_module(kmod_t) kernel_request_load_module(kmod_t) +kernel_read_crypto_sysctls(kmod_t) kernel_read_system_state(kmod_t) kernel_read_network_state(kmod_t) kernel_write_proc_files(kmod_t) -- 2.19.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 2/3] Allow kmod to read /proc/sys/crypto/fips_enabled 2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar @ 2018-12-11 22:54 ` Chris PeBenito 0 siblings, 0 replies; 7+ messages in thread From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw) To: David Sugar, selinux-refpolicy On 12/8/18 1:45 PM, David Sugar wrote: > type=AVC msg=audit(1543769402.716:165): avc: denied { search } for > pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284 > scontext=system_u:system_r:kmod_t:s0 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 > type=AVC msg=audit(1543769402.716:165): avc: denied { read } for > pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285 > scontext=system_u:system_r:kmod_t:s0 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1543769402.716:165): avc: denied { open } for > pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc" > ino=10285 scontext=system_u:system_r:kmod_t:s0 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1543769402.717:166): avc: denied { getattr } for > pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc" > ino=10285 scontext=system_u:system_r:kmod_t:s0 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > > Signed-off-by: Dave Sugar <dsugar@tresys.com> > --- > policy/modules/system/modutils.te | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te > index a8125c17..73471401 100644 > --- a/policy/modules/system/modutils.te > +++ b/policy/modules/system/modutils.te > @@ -58,6 +58,7 @@ can_exec(kmod_t, kmod_exec_t) > > kernel_load_module(kmod_t) > kernel_request_load_module(kmod_t) > +kernel_read_crypto_sysctls(kmod_t) > kernel_read_system_state(kmod_t) > kernel_read_network_state(kmod_t) > kernel_write_proc_files(kmod_t) Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled 2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar 2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar 2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar @ 2018-12-08 18:45 ` David Sugar 2018-12-11 22:54 ` Chris PeBenito 2 siblings, 1 reply; 7+ messages in thread From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw) To: selinux-refpolicy type=AVC msg=audit(1543769401.029:153): avc: denied { search } for pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { read } for pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:153): avc: denied { open } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10285 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { search } for pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { read } for pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:364): avc: denied { open } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=9289 scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 Signed-off-by: Dave Sugar <dsugar@tresys.com> --- policy/modules/services/dbus.te | 2 ++ 1 file changed, 2 insertions(+) diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te index 4b1e25c6..ea0af022 100644 --- a/policy/modules/services/dbus.te +++ b/policy/modules/services/dbus.te @@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) can_exec(system_dbusd_t, dbusd_exec_t) +kernel_read_crypto_sysctls(system_dbusd_t) kernel_read_system_state(system_dbusd_t) kernel_read_kernel_sysctls(system_dbusd_t) @@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) +kernel_read_crypto_sysctls(session_bus_type) kernel_read_system_state(session_bus_type) kernel_read_kernel_sysctls(session_bus_type) -- 2.19.2 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled 2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar @ 2018-12-11 22:54 ` Chris PeBenito 0 siblings, 0 replies; 7+ messages in thread From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw) To: David Sugar, selinux-refpolicy On 12/8/18 1:45 PM, David Sugar wrote: > type=AVC msg=audit(1543769401.029:153): avc: denied { search } for > pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284 > scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 > type=AVC msg=audit(1543769401.029:153): avc: denied { read } for > pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285 > scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1543769401.029:153): avc: denied { open } for > pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" > dev="proc" ino=10285 > scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1543769401.029:154): avc: denied { getattr } for > pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" > dev="proc" ino=10285 > scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > > type=AVC msg=audit(1543845518.175:364): avc: denied { search } for > pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288 > scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1 > type=AVC msg=audit(1543845518.175:364): avc: denied { read } for > pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289 > scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1543845518.175:364): avc: denied { open } for > pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" > dev="proc" ino=9289 > scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > type=AVC msg=audit(1543845518.175:365): avc: denied { getattr } for > pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled" > dev="proc" ino=9289 > scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1 > > Signed-off-by: Dave Sugar <dsugar@tresys.com> > --- > policy/modules/services/dbus.te | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te > index 4b1e25c6..ea0af022 100644 > --- a/policy/modules/services/dbus.te > +++ b/policy/modules/services/dbus.te > @@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file }) > > can_exec(system_dbusd_t, dbusd_exec_t) > > +kernel_read_crypto_sysctls(system_dbusd_t) > kernel_read_system_state(system_dbusd_t) > kernel_read_kernel_sysctls(system_dbusd_t) > > @@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru > manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t) > userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file }) > > +kernel_read_crypto_sysctls(session_bus_type) > kernel_read_system_state(session_bus_type) > kernel_read_kernel_sysctls(session_bus_type) Merged. -- Chris PeBenito ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-12-11 23:00 UTC | newest] Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar 2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar 2018-12-11 22:54 ` Chris PeBenito 2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar 2018-12-11 22:54 ` Chris PeBenito 2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar 2018-12-11 22:54 ` Chris PeBenito
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).