* [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface
@ 2019-02-25 23:37 Sugar, David
2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
` (5 more replies)
0 siblings, 6 replies; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
To: selinux-refpolicy
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/services/clamav.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 3639d769..0dc1e23c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -263,11 +263,11 @@ interface(`clamav_scannable_files',`
#
interface(`clamav_enabledisable_clamd',`
gen_require(`
- type clamav_unit_t;
+ type clamd_unit_t;
class service { enable disable };
')
- allow $1 clamav_unit_t:service { enable disable };
+ allow $1 clamd_unit_t:service { enable disable };
')
########################################
--
2.20.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH] Allow freshclam to read sysctl_crypto_t
2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
2019-02-27 3:22 ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Add interfaces to run freshclam Sugar, David
` (4 subsequent siblings)
5 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
To: selinux-refpolicy
type=AVC msg=audit(1550894180.137:3099): avc: denied { search } for pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550894180.137:3099): avc: denied { read } for pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550894180.137:3099): avc: denied { open } for pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/services/clamav.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 622453e3..db4e0209 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -202,6 +202,7 @@ stream_connect_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t, clamd_t)
read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
kernel_dontaudit_list_proc(freshclam_t)
+kernel_read_crypto_sysctls(freshclam_t)
kernel_read_kernel_sysctls(freshclam_t)
kernel_read_network_state(freshclam_t)
kernel_read_system_state(freshclam_t)
--
2.20.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH] Add interfaces to run freshclam
2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
2019-02-27 3:22 ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
` (3 subsequent siblings)
5 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
To: selinux-refpolicy
Currently freshclam can only be started from cron or init. This adds
the option of starting from a different process and optionally
transitioning or staying in the callers domain.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/services/clamav.if | 64 +++++++++++++++++++++++++++++++
1 file changed, 64 insertions(+)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 0dc1e23c..30d0b814 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -251,6 +251,70 @@ interface(`clamav_scannable_files',`
typeattribute $1 clam_scannable_type;
')
+########################################
+## <summary>
+## Execute a domain transition to run freshclam.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`clamav_domtrans_freshclam',`
+ gen_require(`
+ type freshclam_t, freshclam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ domtrans_pattern($1, freshclam_exec_t, freshclam_t)
+')
+
+########################################
+## <summary>
+## Execute freshclam in the freshclam domain, and
+## allow the specified role the freshclam domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_run_freshclam',`
+ gen_require(`
+ type freshclam_t;
+ ')
+
+ clamav_domtrans_freshclam($1)
+ role $2 types freshclam_t;
+')
+
+########################################
+## <summary>
+## Execute freshclam in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_exec_freshclam',`
+ gen_require(`
+ type freshclam_exec_t;
+ ')
+
+ corecmd_search_bin($1)
+ can_exec($1, freshclam_exec_t)
+')
+
########################################
## <summary>
## Allow specified domain to enable clamd units
--
2.20.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH] Allow AIDE to sendto kernel datagram socket
2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
2019-02-25 23:37 ` [PATCH] Add interfaces to run freshclam Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
2019-02-26 6:52 ` Dominick Grift
2019-02-27 3:21 ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to mmap files Sugar, David
` (2 subsequent siblings)
5 siblings, 2 replies; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
To: selinux-refpolicy
type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/admin/aide.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 9d3c19ce..6297b60e 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
+kernel_dgram_send(aide_t)
+
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
--
2.20.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH] Allow AIDE to read kernel sysctl_crypto_t
2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
` (3 preceding siblings ...)
2019-02-25 23:37 ` [PATCH] Allow AIDE to mmap files Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
2019-02-27 3:22 ` Chris PeBenito
2019-02-27 3:23 ` [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Chris PeBenito
5 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
To: selinux-refpolicy
type=AVC msg=audit(1550799594.212:164): avc: denied { search } for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { read } for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc: denied { open } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc: denied { getattr } for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/admin/aide.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 6297b60e..f58ba850 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -36,6 +36,7 @@ files_read_all_files(aide_t)
files_read_all_symlinks(aide_t)
kernel_dgram_send(aide_t)
+kernel_read_crypto_sysctls(aide_t)
logging_send_audit_msgs(aide_t)
logging_send_syslog_msg(aide_t)
--
2.20.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* [PATCH] Allow AIDE to mmap files
2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
` (2 preceding siblings ...)
2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
2019-02-27 3:22 ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to read kernel sysctl_crypto_t Sugar, David
2019-02-27 3:23 ` [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Chris PeBenito
5 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
To: selinux-refpolicy
AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning. RHEL7 has set this option in the
aide rpm they distribute.
Changes made to add a tunable to enable permissions allowing
aide to map files that it needs. I have set the default to
false as this seems perfered (in my mind).
Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
policy/modules/admin/aide.te | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index f58ba850..fe52a280 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
# Declarations
#
+## <desc>
+## <p>
+## Control if AIDE can mmap files.
+## AIDE can be compiled with the option 'with-mmap' in which case it will
+## attempt to mmap files while running.
+## </p>
+## </desc>
+gen_tunable(aide_mmap_files, false)
+
attribute_role aide_roles;
type aide_t;
@@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
userdom_use_user_terminals(aide_t)
+tunable_policy(`aide_mmap_files',`
+ files_map_non_auth_files(aide_t)
+')
+
optional_policy(`
seutil_use_newrole_fds(aide_t)
')
--
2.20.1
^ permalink raw reply related [flat|nested] 15+ messages in thread
* Re: [PATCH] Allow AIDE to sendto kernel datagram socket
2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
@ 2019-02-26 6:52 ` Dominick Grift
2019-02-26 12:28 ` Sugar, David
2019-02-27 3:21 ` Chris PeBenito
1 sibling, 1 reply; 15+ messages in thread
From: Dominick Grift @ 2019-02-26 6:52 UTC (permalink / raw)
To: Sugar, David; +Cc: selinux-refpolicy
"Sugar, David" <dsugar@tresys.com> writes:
> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
> pid=7182 comm="aide" path="/dev/log"
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
> permissive=1
Is this not part of logging_send_syslog_msg()? It should be AFAIK.
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/admin/aide.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
> index 9d3c19ce..6297b60e 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
> files_read_all_files(aide_t)
> files_read_all_symlinks(aide_t)
>
> +kernel_dgram_send(aide_t)
> +
> logging_send_audit_msgs(aide_t)
> logging_send_syslog_msg(aide_t)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] Allow AIDE to sendto kernel datagram socket
2019-02-26 6:52 ` Dominick Grift
@ 2019-02-26 12:28 ` Sugar, David
2019-02-26 12:32 ` Dominick Grift
0 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-26 12:28 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux-refpolicy
On 2/26/19 1:52 AM, Dominick Grift wrote:
> "Sugar, David" <dsugar@tresys.com> writes:
>
>> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
>> pid=7182 comm="aide" path="/dev/log"
>> scontext=system_u:system_r:aide_t:s0
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>> permissive=1
>
> Is this not part of logging_send_syslog_msg()? It should be AFAIK.
>
Looking at logging.if I don't see any kernel interfaces used. So, no it
isn't in there currently. Based on how logging seems to now work with
journald it might be a good idea to move these individual uses and just
rely on the loggin_send_syslog_msg interface to take care of it.
I'm happy to make this change if that is desired.
>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>> policy/modules/admin/aide.te | 2 ++
>> 1 file changed, 2 insertions(+)
>>
>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>> index 9d3c19ce..6297b60e 100644
>> --- a/policy/modules/admin/aide.te
>> +++ b/policy/modules/admin/aide.te
>> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>> files_read_all_files(aide_t)
>> files_read_all_symlinks(aide_t)
>>
>> +kernel_dgram_send(aide_t)
>> +
>> logging_send_audit_msgs(aide_t)
>> logging_send_syslog_msg(aide_t)
>
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] Allow AIDE to sendto kernel datagram socket
2019-02-26 12:28 ` Sugar, David
@ 2019-02-26 12:32 ` Dominick Grift
0 siblings, 0 replies; 15+ messages in thread
From: Dominick Grift @ 2019-02-26 12:32 UTC (permalink / raw)
To: Sugar, David; +Cc: selinux-refpolicy
"Sugar, David" <dsugar@tresys.com> writes:
> On 2/26/19 1:52 AM, Dominick Grift wrote:
>> "Sugar, David" <dsugar@tresys.com> writes:
>>
>>> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
>>> pid=7182 comm="aide" path="/dev/log"
>>> scontext=system_u:system_r:aide_t:s0
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>> permissive=1
>>
>> Is this not part of logging_send_syslog_msg()? It should be AFAIK.
>>
> Looking at logging.if I don't see any kernel interfaces used. So, no it
> isn't in there currently. Based on how logging seems to now work with
> journald it might be a good idea to move these individual uses and just
> rely on the loggin_send_syslog_msg interface to take care of it.
>
I see. I will let other decides on how to deal with this. In dssp2 i
have:
(call sys.unix_dgram_socket_sendto (client_subj_type_attribute))
(call sys.unix_stream_socket_connectto (client_subj_type_attribute))
Not sure why i also added the "unix_stream_socket connectto;", but i suppose
there was a need for it at some point at least.
> I'm happy to make this change if that is desired.
>
>>>
>>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>>> ---
>>> policy/modules/admin/aide.te | 2 ++
>>> 1 file changed, 2 insertions(+)
>>>
>>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>>> index 9d3c19ce..6297b60e 100644
>>> --- a/policy/modules/admin/aide.te
>>> +++ b/policy/modules/admin/aide.te
>>> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>>> files_read_all_files(aide_t)
>>> files_read_all_symlinks(aide_t)
>>>
>>> +kernel_dgram_send(aide_t)
>>> +
>>> logging_send_audit_msgs(aide_t)
>>> logging_send_syslog_msg(aide_t)
>>
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] Allow AIDE to sendto kernel datagram socket
2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
2019-02-26 6:52 ` Dominick Grift
@ 2019-02-27 3:21 ` Chris PeBenito
1 sibling, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27 3:21 UTC (permalink / raw)
To: Sugar, David, selinux-refpolicy
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto }
> for pid=7182 comm="aide" path="/dev/log"
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
> permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/admin/aide.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index 9d3c19ce..6297b60e 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
> files_read_all_files(aide_t)
> files_read_all_symlinks(aide_t)
>
> +kernel_dgram_send(aide_t)
> +
> logging_send_audit_msgs(aide_t)
> logging_send_syslog_msg(aide_t)
I merged this. Since there are only a few domains with this
permission, I'd rather keep it separate. Should many more domains need
this access, then we can reassess.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] Allow AIDE to read kernel sysctl_crypto_t
2019-02-25 23:37 ` [PATCH] Allow AIDE to read kernel sysctl_crypto_t Sugar, David
@ 2019-02-27 3:22 ` Chris PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27 3:22 UTC (permalink / raw)
To: Sugar, David, selinux-refpolicy
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550799594.212:164): avc: denied { search }
> for pid=7182 comm="aide" name="crypto" dev="proc" ino=10257
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1550799594.212:164): avc: denied { read }
> for pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550799594.212:164): avc: denied { open }
> for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550799594.213:165): avc: denied { getattr }
> for pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/admin/aide.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index 6297b60e..f58ba850 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -36,6 +36,7 @@ files_read_all_files(aide_t)
> files_read_all_symlinks(aide_t)
>
> kernel_dgram_send(aide_t)
> +kernel_read_crypto_sysctls(aide_t)
>
> logging_send_audit_msgs(aide_t)
> logging_send_syslog_msg(aide_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] Allow AIDE to mmap files
2019-02-25 23:37 ` [PATCH] Allow AIDE to mmap files Sugar, David
@ 2019-02-27 3:22 ` Chris PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27 3:22 UTC (permalink / raw)
To: Sugar, David, selinux-refpolicy
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> AIDE has a compile time option WITH_MMAP which allows AIDE to
> map files during scanning. RHEL7 has set this option in the
> aide rpm they distribute.
>
> Changes made to add a tunable to enable permissions allowing
> aide to map files that it needs. I have set the default to
> false as this seems perfered (in my mind).
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/admin/aide.te | 13 +++++++++++++
> 1 file changed, 13 insertions(+)
>
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index f58ba850..fe52a280 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Control if AIDE can mmap files.
> +## AIDE can be compiled with the option 'with-mmap' in which case
> it will
> +## attempt to mmap files while running.
> +## </p>
> +## </desc>
> +gen_tunable(aide_mmap_files, false)
> +
> attribute_role aide_roles;
>
> type aide_t;
> @@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
>
> userdom_use_user_terminals(aide_t)
>
> +tunable_policy(`aide_mmap_files',`
> + files_map_non_auth_files(aide_t)
> +')
> +
> optional_policy(`
> seutil_use_newrole_fds(aide_t)
> ')
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] Add interfaces to run freshclam
2019-02-25 23:37 ` [PATCH] Add interfaces to run freshclam Sugar, David
@ 2019-02-27 3:22 ` Chris PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27 3:22 UTC (permalink / raw)
To: Sugar, David, selinux-refpolicy
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> Currently freshclam can only be started from cron or init. This adds
> the option of starting from a different process and optionally
> transitioning or staying in the callers domain.
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/services/clamav.if | 64
> +++++++++++++++++++++++++++++++
> 1 file changed, 64 insertions(+)
>
> diff --git a/policy/modules/services/clamav.if
> b/policy/modules/services/clamav.if
> index 0dc1e23c..30d0b814 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -251,6 +251,70 @@ interface(`clamav_scannable_files',`
> typeattribute $1 clam_scannable_type;
> ')
>
> +########################################
> +## <summary>
> +## Execute a domain transition to run freshclam.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_domtrans_freshclam',`
> + gen_require(`
> + type freshclam_t, freshclam_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + domtrans_pattern($1, freshclam_exec_t, freshclam_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute freshclam in the freshclam domain, and
> +## allow the specified role the freshclam domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`clamav_run_freshclam',`
> + gen_require(`
> + type freshclam_t;
> + ')
> +
> + clamav_domtrans_freshclam($1)
> + role $2 types freshclam_t;
> +')
> +
> +########################################
> +## <summary>
> +## Execute freshclam in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_exec_freshclam',`
> + gen_require(`
> + type freshclam_exec_t;
> + ')
> +
> + corecmd_search_bin($1)
> + can_exec($1, freshclam_exec_t)
> +')
> +
> ########################################
> ## <summary>
> ## Allow specified domain to enable clamd units
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] Allow freshclam to read sysctl_crypto_t
2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
@ 2019-02-27 3:22 ` Chris PeBenito
0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27 3:22 UTC (permalink / raw)
To: Sugar, David, selinux-refpolicy
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550894180.137:3099): avc: denied { search }
> for pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208
> scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1550894180.137:3099): avc: denied { read }
> for pid=11039 comm="freshclam" name="fips_enabled" dev="proc"
> ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550894180.137:3099): avc: denied { open }
> for pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-
> s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/services/clamav.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/clamav.te
> b/policy/modules/services/clamav.te
> index 622453e3..db4e0209 100644
> --- a/policy/modules/services/clamav.te
> +++ b/policy/modules/services/clamav.te
> @@ -202,6 +202,7 @@ stream_connect_pattern(freshclam_t,
> clamd_var_run_t, clamd_var_run_t, clamd_t)
> read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
>
> kernel_dontaudit_list_proc(freshclam_t)
> +kernel_read_crypto_sysctls(freshclam_t)
> kernel_read_kernel_sysctls(freshclam_t)
> kernel_read_network_state(freshclam_t)
> kernel_read_system_state(freshclam_t)
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 15+ messages in thread
* Re: [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface
2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
` (4 preceding siblings ...)
2019-02-25 23:37 ` [PATCH] Allow AIDE to read kernel sysctl_crypto_t Sugar, David
@ 2019-02-27 3:23 ` Chris PeBenito
5 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27 3:23 UTC (permalink / raw)
To: Sugar, David, selinux-refpolicy
On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
> policy/modules/services/clamav.if | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/policy/modules/services/clamav.if
> b/policy/modules/services/clamav.if
> index 3639d769..0dc1e23c 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -263,11 +263,11 @@ interface(`clamav_scannable_files',`
> #
> interface(`clamav_enabledisable_clamd',`
> gen_require(`
> - type clamav_unit_t;
> + type clamd_unit_t;
> class service { enable disable };
> ')
>
> - allow $1 clamav_unit_t:service { enable disable };
> + allow $1 clamd_unit_t:service { enable disable };
> ')
>
> ########################################
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 15+ messages in thread
end of thread, other threads:[~2019-02-27 3:23 UTC | newest]
Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
2019-02-27 3:22 ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Add interfaces to run freshclam Sugar, David
2019-02-27 3:22 ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
2019-02-26 6:52 ` Dominick Grift
2019-02-26 12:28 ` Sugar, David
2019-02-26 12:32 ` Dominick Grift
2019-02-27 3:21 ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to mmap files Sugar, David
2019-02-27 3:22 ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to read kernel sysctl_crypto_t Sugar, David
2019-02-27 3:22 ` Chris PeBenito
2019-02-27 3:23 ` [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).