From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.0 required=3.0 tests=DKIMWL_WL_MED,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0A6FBC282C4 for ; Tue, 12 Feb 2019 13:05:38 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B75EA214DA for ; Tue, 12 Feb 2019 13:05:37 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=tresys.onmicrosoft.com header.i=@tresys.onmicrosoft.com header.b="h83VR3w6" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727750AbfBLNFh (ORCPT ); Tue, 12 Feb 2019 08:05:37 -0500 Received: from mail-eopbgr700093.outbound.protection.outlook.com ([40.107.70.93]:42580 "EHLO NAM04-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1729355AbfBLNFh (ORCPT ); Tue, 12 Feb 2019 08:05:37 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tresys.onmicrosoft.com; s=selector1-tresys-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=tjG7WAMtRiKf+2lj4c3uTEXlqxZnj3iYwpAPudxxWms=; b=h83VR3w6Vq1hz2ZF0A6C++80tA+pdszL7CU5GyvTKoTAf8X4PRVucfodV4nQ/KeX0HskzQa7QJ5evYORmtz2lCSGrC0BYAA9pxxl2NympKP1GnLzMWPrPd/UkutoyAipqAXnIfUAUrp1dwviG7yoDQS9Nyz7R2Ff7HzKH/GeZ2Q= Received: from BN6PR15MB1507.namprd15.prod.outlook.com (10.172.151.147) by BN6PR15MB1681.namprd15.prod.outlook.com (10.175.132.9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1601.19; Tue, 12 Feb 2019 13:05:32 +0000 Received: from BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce]) by BN6PR15MB1507.namprd15.prod.outlook.com ([fe80::f1c7:33d:34ac:bdce%3]) with mapi id 15.20.1601.023; Tue, 12 Feb 2019 13:05:32 +0000 From: "Sugar, David" To: "selinux-refpolicy@vger.kernel.org" Subject: [PATCH] New interface to dontaudit access to cert_t Thread-Topic: [PATCH] New interface to dontaudit access to cert_t Thread-Index: AQHUwtOirpV8izD8NkqbXYirrG0BEQ== Date: Tue, 12 Feb 2019 13:05:31 +0000 Message-ID: <20190212130456.11572-1-dsugar@tresys.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [73.180.141.176] x-clientproxiedby: BN6PR03CA0021.namprd03.prod.outlook.com (2603:10b6:404:23::31) To BN6PR15MB1507.namprd15.prod.outlook.com (2603:10b6:404:c6::19) authentication-results: spf=none (sender IP is ) smtp.mailfrom=dsugar@tresys.com; x-ms-exchange-messagesentrepresentingtype: 1 x-mailer: git-send-email 2.20.1 x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: de2a9874-646c-4969-d4ec-08d690eac495 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(5600110)(711020)(4605077)(2017052603328)(7153060)(7193020);SRVR:BN6PR15MB1681; x-ms-traffictypediagnostic: BN6PR15MB1681: x-microsoft-exchange-diagnostics: =?iso-8859-1?Q?1;BN6PR15MB1681;23:5rdT72J86v+GXMbn3/rfXbUKWmEVboD5kR9fWKc?= =?iso-8859-1?Q?J8focb55GViSq6SM+u/QMR3gRCZxjdO4cUHpvQQltYY5bt5jvLvFWYcbIc?= =?iso-8859-1?Q?CBJVGsld56++s74T++J9F6qKzEOlEA9qa1jUWmq3JEDbYiXL5gwp9Z/iRy?= =?iso-8859-1?Q?dl8IM8lNqFZIyGVEdKFQMfyF3KTWbPIQPEvS3L+q8mvdLiwEQADlULE1MF?= =?iso-8859-1?Q?sinzqvXs5kxQjS7rWE6j0FgK4Yw6c1n6TQuZjgLCFUfn+TIxoCrQYYENaN?= =?iso-8859-1?Q?xxHOxyaDBWhqKcQO45fEAeBW+2eRTVjzLEH+icKYpgFHkQVm2LBScW5UyP?= =?iso-8859-1?Q?WoxLP2B1Y56FlpacaqOxmMk2ExS/sgVYfkODguk6FDiDuvjUm35OQ7nkE0?= =?iso-8859-1?Q?4yNvXpHkWfL8xH20J4o+nC9C4I8mXmxoTVAPghgPdAg5CDairc7I72Lf1b?= =?iso-8859-1?Q?/YHOSnwQ0IRvZjbVZN3w+8rfrdFic5loAk2bnhRFMnLUacM2V9o3hEdXJy?= =?iso-8859-1?Q?Chb1yclJFcRxCGjDZ1KMR4KyiDAnQCdSqVEOX6YPJppfgYxr5mfwcBoqcW?= =?iso-8859-1?Q?zcGSwGZm9xAWD7SsRIPazLZQ/bPuttZeilcmgkZEnud08MX6auCfRhz+BE?= =?iso-8859-1?Q?3aYXFwr+qh1uVFJmX08g0Zx3X6/dS3+to2pPql3Tc8KsVtYpmTeaNn0trq?= =?iso-8859-1?Q?UxrqF4uwGkqX9HLj/LNHv/1IrAoYt5lfAZJOB/ieJJXmMMaRKH+pBhaTvO?= =?iso-8859-1?Q?VcUwR/+Y33L8tm6NpVHEva9/H30pYOHC5+iqBxPDP7sFq8OINcswMEbUg3?= =?iso-8859-1?Q?9RbueOcwY/NAUUIVHoFQHY1FQ//KhCPTnyBRghhtpa00gR6o8CZ/ClWNl4?= =?iso-8859-1?Q?K8v6aP9I1NW992U1zM4z3xLy0ERULRAw0fdFl78wHqmxmzSTWxiJt+l202?= =?iso-8859-1?Q?NaWutKC5SLWRbcqZqjBON9a8P0m3CtSQUnpqc79lAnheQJ0h2t9VBDcev8?= =?iso-8859-1?Q?QfKkDA5fpiBFuhzj2+eW+bcn1swQKWG3AJJ5RdvnLivE6YtedGv8mSLVhY?= =?iso-8859-1?Q?k8eFENQf+CKg9mGLPUrF/rWYn4LDAF9agOatbuhAlW42QNlzoPG2nZqi4q?= =?iso-8859-1?Q?2jCfOP+xFlMhf04EKcZtVdw3nl+Suimg9e86H5VVaG7QcsPM4TMXPSd/ea?= =?iso-8859-1?Q?GHKrl9TUjk54VzAFkDCwSqSRu0eZAmxVhtc1mI4B2NM3EFTj+WdsCrQR76?= =?iso-8859-1?Q?hE1GFNA0Mh9PMm9AMGrV7spLxLurcaetmmz4Q9mxafHk2XSfHqu9MjzUwu?= =?iso-8859-1?Q?egSqYaK3NFbrFil+hg58mvM?= x-microsoft-antispam-prvs: x-forefront-prvs: 0946DC87A1 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(979002)(366004)(396003)(376002)(39830400003)(136003)(346002)(189003)(199004)(50226002)(486006)(6506007)(99286004)(5640700003)(6486002)(68736007)(36756003)(25786009)(6916009)(256004)(14454004)(316002)(14444005)(476003)(8676002)(186003)(71190400001)(2616005)(7736002)(71200400001)(305945005)(53936002)(3846002)(6436002)(6512007)(386003)(6116002)(81166006)(106356001)(66066001)(52116002)(86362001)(2501003)(26005)(2351001)(1076003)(508600001)(102836004)(97736004)(105586002)(2906002)(8936002)(81156014)(969003)(989001)(999001)(1009001)(1019001);DIR:OUT;SFP:1102;SCL:1;SRVR:BN6PR15MB1681;H:BN6PR15MB1507.namprd15.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: tresys.com does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: x5HrKnhp5igEIkl9DqwDftCLKq844VCdDqhNFUbeCIJSEQGXW293awj6cYuK7mzFarUM8Cu9WQ92ESUwFwNOAkzr2PNPGNbjhpoFZtbnbtb75PDp3s+1CoqdzkPLPOoiRgMxhr9GrD7y2EgHzb7Hf1j9OvosDWlQClrbt/+KyGJT0rxMjbsPlw92f8zS9UjbNveL6PLfxpbfDDmFvCBwUMhcJ2cOkDdQIplvPDq2evPqGjiiWEcvg7UZ8NkBQ3GEMB0s1Xsl3TWLQU1PkEyWWiGkxgNrimPezyuyDonHAtSQZDMZJOuSXcH+qrzH1twnJmKEPj0JRGrRAaawsg0dr6w2mTBziCVM2I507jy05PCTemb1V3fCnYW8L0UCefYnyhnszgvwk69pm4gsFt+wQJpp3WxML0u2sX9PRFhldKk= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: tresys.com X-MS-Exchange-CrossTenant-Network-Message-Id: de2a9874-646c-4969-d4ec-08d690eac495 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Feb 2019 13:05:31.3824 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR15MB1681 Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org I'm seeing a bunch of denials for various processes (some refpolicy domains, some my own application domains) attempting to access /etc/pki. They seem to be working OK even with the denial. Adding interface to dontaudit this stuff and calling the interface. type=3DAVC msg=3Daudit(1549932300.668:266): avc: denied { search } for pi= d=3D7077 comm=3D"X" name=3D"pki" dev=3D"dm-1" ino=3D138 scontext=3Dsystem_u= :system_r:xserver_t:s0-s0:c0.c1023 tcontext=3Dsystem_u:object_r:cert_t:s0 t= class=3Ddir permissive=3D0 type=3DAVC msg=3Daudit(1549932306.553:430): avc: denied { search } for pi= d=3D7345 comm=3D"clamd" name=3D"pki" dev=3D"dm-1" ino=3D138 scontext=3Dsyst= em_u:system_r:clamd_t:s0:c1 tcontext=3Dsystem_u:object_r:cert_t:s0 tclass= =3Ddir permissive=3D0 Signed-off-by: Dave Sugar --- policy/modules/services/clamav.te | 1 + policy/modules/services/xserver.te | 1 + policy/modules/system/miscfiles.if | 20 ++++++++++++++++++++ 3 files changed, 22 insertions(+) diff --git a/policy/modules/services/clamav.te b/policy/modules/services/cl= amav.te index 622453e3..ad19cc7b 100644 --- a/policy/modules/services/clamav.te +++ b/policy/modules/services/clamav.te @@ -147,6 +147,7 @@ auth_use_nsswitch(clamd_t) =20 logging_send_syslog_msg(clamd_t) =20 +miscfiles_dontaudit_search_generic_certs(clamd_t) miscfiles_read_localization(clamd_t) =20 tunable_policy(`clamd_use_jit',` diff --git a/policy/modules/services/xserver.te b/policy/modules/services/x= server.te index a2b08a89..da1c0c7d 100644 --- a/policy/modules/services/xserver.te +++ b/policy/modules/services/xserver.te @@ -804,6 +804,7 @@ locallogin_use_fds(xserver_t) logging_send_syslog_msg(xserver_t) logging_send_audit_msgs(xserver_t) =20 +miscfiles_dontaudit_search_generic_certs(xserver_t) miscfiles_read_localization(xserver_t) miscfiles_read_fonts(xserver_t) =20 diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/mis= cfiles.if index 93c1f9c1..cecdb406 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -131,6 +131,26 @@ interface(`miscfiles_read_generic_certs',` read_lnk_files_pattern($1, cert_t, cert_t) ') =20 +######################################## +## +## Do not audit attempts to search +## on a generic certs directory. +## +## +## +## Domain to not audit. +## +## +## +# +interface(`miscfiles_dontaudit_search_generic_certs',` + gen_require(` + type cert_t; + ') + + dontaudit $1 cert_t:dir search; +') + ######################################## ## ## Manage generic SSL/TLS certificates. --=20 2.20.1