SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface
@ 2019-02-25 23:37 Sugar, David
  2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
                   ` (5 more replies)
  0 siblings, 6 replies; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
  To: selinux-refpolicy

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 3639d769..0dc1e23c 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -263,11 +263,11 @@ interface(`clamav_scannable_files',`
 #
 interface(`clamav_enabledisable_clamd',`
 	gen_require(`
-		type clamav_unit_t;
+		type clamd_unit_t;
 		class service { enable disable };
 	')
 
-	allow $1 clamav_unit_t:service { enable disable };
+	allow $1 clamd_unit_t:service { enable disable };
 ')
 
 ########################################
-- 
2.20.1


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [PATCH] Allow freshclam to read sysctl_crypto_t
  2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
  2019-02-27  3:22   ` Chris PeBenito
  2019-02-25 23:37 ` [PATCH] Add interfaces to run freshclam Sugar, David
                   ` (4 subsequent siblings)
  5 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
  To: selinux-refpolicy

type=AVC msg=audit(1550894180.137:3099): avc:  denied  { search } for  pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { read } for  pid=11039 comm="freshclam" name="fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550894180.137:3099): avc:  denied  { open } for  pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 622453e3..db4e0209 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -202,6 +202,7 @@ stream_connect_pattern(freshclam_t, clamd_var_run_t, clamd_var_run_t, clamd_t)
 read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
 
 kernel_dontaudit_list_proc(freshclam_t)
+kernel_read_crypto_sysctls(freshclam_t)
 kernel_read_kernel_sysctls(freshclam_t)
 kernel_read_network_state(freshclam_t)
 kernel_read_system_state(freshclam_t)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [PATCH] Add interfaces to run freshclam
  2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
  2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
  2019-02-27  3:22   ` Chris PeBenito
  2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
                   ` (3 subsequent siblings)
  5 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
  To: selinux-refpolicy

Currently freshclam can only be started from cron or init.  This adds
the option of starting from a different process and optionally 
transitioning or staying in the callers domain.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.if | 64 +++++++++++++++++++++++++++++++
 1 file changed, 64 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 0dc1e23c..30d0b814 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -251,6 +251,70 @@ interface(`clamav_scannable_files',`
 	typeattribute $1 clam_scannable_type;
 ')
 
+########################################
+## <summary>
+##	Execute a domain transition to run freshclam.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+#
+interface(`clamav_domtrans_freshclam',`
+	gen_require(`
+		type freshclam_t, freshclam_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1, freshclam_exec_t, freshclam_t)
+')
+
+########################################
+## <summary>
+##	Execute freshclam in the freshclam domain, and
+##	allow the specified role the freshclam domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`clamav_run_freshclam',`
+	gen_require(`
+		type freshclam_t;
+	')
+
+	clamav_domtrans_freshclam($1)
+	role $2 types freshclam_t;
+')
+
+########################################
+## <summary>
+##	Execute freshclam in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_exec_freshclam',`
+	gen_require(`
+		type freshclam_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	can_exec($1, freshclam_exec_t)
+')
+
 ########################################
 ## <summary>
 ##	Allow specified domain to enable clamd units
-- 
2.20.1


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [PATCH] Allow AIDE to sendto kernel datagram socket
  2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
  2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
  2019-02-25 23:37 ` [PATCH] Add interfaces to run freshclam Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
  2019-02-26  6:52   ` Dominick Grift
  2019-02-27  3:21   ` Chris PeBenito
  2019-02-25 23:37 ` [PATCH] Allow AIDE to mmap files Sugar, David
                   ` (2 subsequent siblings)
  5 siblings, 2 replies; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
  To: selinux-refpolicy

type=AVC msg=audit(1550799594.394:205): avc:  denied  { sendto } for  pid=7182 comm="aide" path="/dev/log" scontext=system_u:system_r:aide_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/aide.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 9d3c19ce..6297b60e 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
 files_read_all_files(aide_t)
 files_read_all_symlinks(aide_t)
 
+kernel_dgram_send(aide_t)
+
 logging_send_audit_msgs(aide_t)
 logging_send_syslog_msg(aide_t)
 
-- 
2.20.1


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [PATCH] Allow AIDE to read kernel sysctl_crypto_t
  2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
                   ` (3 preceding siblings ...)
  2019-02-25 23:37 ` [PATCH] Allow AIDE to mmap files Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
  2019-02-27  3:22   ` Chris PeBenito
  2019-02-27  3:23 ` [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Chris PeBenito
  5 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
  To: selinux-refpolicy

type=AVC msg=audit(1550799594.212:164): avc:  denied  { search } for  pid=7182 comm="aide" name="crypto" dev="proc" ino=10257 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { read } for  pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.212:164): avc:  denied  { open } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1550799594.213:165): avc:  denied  { getattr } for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/aide.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index 6297b60e..f58ba850 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -36,6 +36,7 @@ files_read_all_files(aide_t)
 files_read_all_symlinks(aide_t)
 
 kernel_dgram_send(aide_t)
+kernel_read_crypto_sysctls(aide_t)
 
 logging_send_audit_msgs(aide_t)
 logging_send_syslog_msg(aide_t)
-- 
2.20.1


^ permalink raw reply	[flat|nested] 15+ messages in thread

* [PATCH] Allow AIDE to mmap files
  2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
                   ` (2 preceding siblings ...)
  2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
@ 2019-02-25 23:37 ` Sugar, David
  2019-02-27  3:22   ` Chris PeBenito
  2019-02-25 23:37 ` [PATCH] Allow AIDE to read kernel sysctl_crypto_t Sugar, David
  2019-02-27  3:23 ` [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Chris PeBenito
  5 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-25 23:37 UTC (permalink / raw)
  To: selinux-refpolicy

AIDE has a compile time option WITH_MMAP which allows AIDE to
map files during scanning.  RHEL7 has set this option in the
aide rpm they distribute.

Changes made to add a tunable to enable permissions allowing
aide to map files that it needs.  I have set the default to
false as this seems perfered (in my mind).

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/aide.te | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
index f58ba850..fe52a280 100644
--- a/policy/modules/admin/aide.te
+++ b/policy/modules/admin/aide.te
@@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
 # Declarations
 #
 
+## <desc>
+##	<p>
+##	Control if AIDE can mmap files.
+##	AIDE can be compiled with the option 'with-mmap' in which case it will
+## 	attempt to mmap files while running.
+##	</p>
+## </desc>
+gen_tunable(aide_mmap_files, false)
+
 attribute_role aide_roles;
 
 type aide_t;
@@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
 
 userdom_use_user_terminals(aide_t)
 
+tunable_policy(`aide_mmap_files',`
+	files_map_non_auth_files(aide_t)
+')
+
 optional_policy(`
 	seutil_use_newrole_fds(aide_t)
 ')
-- 
2.20.1


^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Allow AIDE to sendto kernel datagram socket
  2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
@ 2019-02-26  6:52   ` Dominick Grift
  2019-02-26 12:28     ` Sugar, David
  2019-02-27  3:21   ` Chris PeBenito
  1 sibling, 1 reply; 15+ messages in thread
From: Dominick Grift @ 2019-02-26  6:52 UTC (permalink / raw)
  To: Sugar\, David; +Cc: selinux-refpolicy\

"Sugar, David" <dsugar@tresys.com> writes:

> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
> pid=7182 comm="aide" path="/dev/log"
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
> permissive=1

Is this not part of logging_send_syslog_msg()? It should be AFAIK.

>
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/admin/aide.te | 2 ++
>  1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
> index 9d3c19ce..6297b60e 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>  files_read_all_files(aide_t)
>  files_read_all_symlinks(aide_t)
>  
> +kernel_dgram_send(aide_t)
> +
>  logging_send_audit_msgs(aide_t)
>  logging_send_syslog_msg(aide_t)

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Allow AIDE to sendto kernel datagram socket
  2019-02-26  6:52   ` Dominick Grift
@ 2019-02-26 12:28     ` Sugar, David
  2019-02-26 12:32       ` Dominick Grift
  0 siblings, 1 reply; 15+ messages in thread
From: Sugar, David @ 2019-02-26 12:28 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy



On 2/26/19 1:52 AM, Dominick Grift wrote:
> "Sugar, David" <dsugar@tresys.com> writes:
> 
>> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
>> pid=7182 comm="aide" path="/dev/log"
>> scontext=system_u:system_r:aide_t:s0
>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>> permissive=1
> 
> Is this not part of logging_send_syslog_msg()? It should be AFAIK.
> 
Looking at logging.if I don't see any kernel interfaces used.  So, no it 
isn't in there currently.  Based on how logging seems to now work with 
journald it might be a good idea to move these individual uses and just 
rely on the loggin_send_syslog_msg interface to take care of it.

I'm happy to make this change if that is desired.

>>
>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>> ---
>>   policy/modules/admin/aide.te | 2 ++
>>   1 file changed, 2 insertions(+)
>>
>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>> index 9d3c19ce..6297b60e 100644
>> --- a/policy/modules/admin/aide.te
>> +++ b/policy/modules/admin/aide.te
>> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>>   files_read_all_files(aide_t)
>>   files_read_all_symlinks(aide_t)
>>   
>> +kernel_dgram_send(aide_t)
>> +
>>   logging_send_audit_msgs(aide_t)
>>   logging_send_syslog_msg(aide_t)
> 

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Allow AIDE to sendto kernel datagram socket
  2019-02-26 12:28     ` Sugar, David
@ 2019-02-26 12:32       ` Dominick Grift
  0 siblings, 0 replies; 15+ messages in thread
From: Dominick Grift @ 2019-02-26 12:32 UTC (permalink / raw)
  To: Sugar\, David; +Cc: selinux-refpolicy\

"Sugar, David" <dsugar@tresys.com> writes:

> On 2/26/19 1:52 AM, Dominick Grift wrote:
>> "Sugar, David" <dsugar@tresys.com> writes:
>> 
>>> type=AVC msg=audit(1550799594.394:205): avc: denied { sendto } for
>>> pid=7182 comm="aide" path="/dev/log"
>>> scontext=system_u:system_r:aide_t:s0
>>> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
>>> permissive=1
>> 
>> Is this not part of logging_send_syslog_msg()? It should be AFAIK.
>> 
> Looking at logging.if I don't see any kernel interfaces used.  So, no it 
> isn't in there currently.  Based on how logging seems to now work with 
> journald it might be a good idea to move these individual uses and just 
> rely on the loggin_send_syslog_msg interface to take care of it.
>

I see. I will let other decides on how to deal with this. In dssp2 i
have:

       (call sys.unix_dgram_socket_sendto (client_subj_type_attribute))
       (call sys.unix_stream_socket_connectto (client_subj_type_attribute))

Not sure why i also added the "unix_stream_socket connectto;", but i suppose
there was a need for it at some point at least.

> I'm happy to make this change if that is desired.
>
>>>
>>> Signed-off-by: Dave Sugar <dsugar@tresys.com>
>>> ---
>>>   policy/modules/admin/aide.te | 2 ++
>>>   1 file changed, 2 insertions(+)
>>>
>>> diff --git a/policy/modules/admin/aide.te b/policy/modules/admin/aide.te
>>> index 9d3c19ce..6297b60e 100644
>>> --- a/policy/modules/admin/aide.te
>>> +++ b/policy/modules/admin/aide.te
>>> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>>>   files_read_all_files(aide_t)
>>>   files_read_all_symlinks(aide_t)
>>>   
>>> +kernel_dgram_send(aide_t)
>>> +
>>>   logging_send_audit_msgs(aide_t)
>>>   logging_send_syslog_msg(aide_t)
>> 

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Allow AIDE to sendto kernel datagram socket
  2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
  2019-02-26  6:52   ` Dominick Grift
@ 2019-02-27  3:21   ` Chris PeBenito
  1 sibling, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27  3:21 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550799594.394:205): avc:  denied  { sendto }
> for  pid=7182 comm="aide" path="/dev/log"
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket
> permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/admin/aide.te | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index 9d3c19ce..6297b60e 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -35,6 +35,8 @@ logging_log_filetrans(aide_t, aide_log_t, file)
>  files_read_all_files(aide_t)
>  files_read_all_symlinks(aide_t)
>  
> +kernel_dgram_send(aide_t)
> +
>  logging_send_audit_msgs(aide_t)
>  logging_send_syslog_msg(aide_t)

I merged this.  Since there are only a few domains with this
permission, I'd rather keep it separate.  Should many more domains need
this access, then we can reassess.

-- 
Chris PeBenito



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Allow AIDE to read kernel sysctl_crypto_t
  2019-02-25 23:37 ` [PATCH] Allow AIDE to read kernel sysctl_crypto_t Sugar, David
@ 2019-02-27  3:22   ` Chris PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27  3:22 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550799594.212:164): avc:  denied  { search }
> for  pid=7182 comm="aide" name="crypto" dev="proc" ino=10257
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1550799594.212:164): avc:  denied  { read }
> for  pid=7182 comm="aide" name="fips_enabled" dev="proc" ino=10258
> scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550799594.212:164): avc:  denied  { open }
> for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550799594.213:165): avc:  denied  { getattr }
> for  pid=7182 comm="aide" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10258 scontext=system_u:system_r:aide_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/admin/aide.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index 6297b60e..f58ba850 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -36,6 +36,7 @@ files_read_all_files(aide_t)
>  files_read_all_symlinks(aide_t)
>  
>  kernel_dgram_send(aide_t)
> +kernel_read_crypto_sysctls(aide_t)
>  
>  logging_send_audit_msgs(aide_t)
>  logging_send_syslog_msg(aide_t)

Merged.

-- 
Chris PeBenito



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Allow AIDE to mmap files
  2019-02-25 23:37 ` [PATCH] Allow AIDE to mmap files Sugar, David
@ 2019-02-27  3:22   ` Chris PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27  3:22 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> AIDE has a compile time option WITH_MMAP which allows AIDE to
> map files during scanning.  RHEL7 has set this option in the
> aide rpm they distribute.
> 
> Changes made to add a tunable to enable permissions allowing
> aide to map files that it needs.  I have set the default to
> false as this seems perfered (in my mind).
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/admin/aide.te | 13 +++++++++++++
>  1 file changed, 13 insertions(+)
> 
> diff --git a/policy/modules/admin/aide.te
> b/policy/modules/admin/aide.te
> index f58ba850..fe52a280 100644
> --- a/policy/modules/admin/aide.te
> +++ b/policy/modules/admin/aide.te
> @@ -5,6 +5,15 @@ policy_module(aide, 1.8.0)
>  # Declarations
>  #
>  
> +## <desc>
> +##	<p>
> +##	Control if AIDE can mmap files.
> +##	AIDE can be compiled with the option 'with-mmap' in which case
> it will
> +## 	attempt to mmap files while running.
> +##	</p>
> +## </desc>
> +gen_tunable(aide_mmap_files, false)
> +
>  attribute_role aide_roles;
>  
>  type aide_t;
> @@ -43,6 +52,10 @@ logging_send_syslog_msg(aide_t)
>  
>  userdom_use_user_terminals(aide_t)
>  
> +tunable_policy(`aide_mmap_files',`
> +	files_map_non_auth_files(aide_t)
> +')
> +
>  optional_policy(`
>  	seutil_use_newrole_fds(aide_t)
>  ')

Merged.

-- 
Chris PeBenito



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Add interfaces to run freshclam
  2019-02-25 23:37 ` [PATCH] Add interfaces to run freshclam Sugar, David
@ 2019-02-27  3:22   ` Chris PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27  3:22 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> Currently freshclam can only be started from cron or init.  This adds
> the option of starting from a different process and optionally 
> transitioning or staying in the callers domain.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/services/clamav.if | 64
> +++++++++++++++++++++++++++++++
>  1 file changed, 64 insertions(+)
> 
> diff --git a/policy/modules/services/clamav.if
> b/policy/modules/services/clamav.if
> index 0dc1e23c..30d0b814 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -251,6 +251,70 @@ interface(`clamav_scannable_files',`
>  	typeattribute $1 clam_scannable_type;
>  ')
>  
> +########################################
> +## <summary>
> +##	Execute a domain transition to run freshclam.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +#
> +interface(`clamav_domtrans_freshclam',`
> +	gen_require(`
> +		type freshclam_t, freshclam_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	domtrans_pattern($1, freshclam_exec_t, freshclam_t)
> +')
> +
> +########################################
> +## <summary>
> +##	Execute freshclam in the freshclam domain, and
> +##	allow the specified role the freshclam domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`clamav_run_freshclam',`
> +	gen_require(`
> +		type freshclam_t;
> +	')
> +
> +	clamav_domtrans_freshclam($1)
> +	role $2 types freshclam_t;
> +')
> +
> +########################################
> +## <summary>
> +##	Execute freshclam in the caller domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`clamav_exec_freshclam',`
> +	gen_require(`
> +		type freshclam_exec_t;
> +	')
> +
> +	corecmd_search_bin($1)
> +	can_exec($1, freshclam_exec_t)
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Allow specified domain to enable clamd units

Merged.

-- 
Chris PeBenito



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Allow freshclam to read sysctl_crypto_t
  2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
@ 2019-02-27  3:22   ` Chris PeBenito
  0 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27  3:22 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> type=AVC msg=audit(1550894180.137:3099): avc:  denied  { search }
> for  pid=11039 comm="freshclam" name="crypto" dev="proc" ino=208
> scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1550894180.137:3099): avc:  denied  { read }
> for  pid=11039 comm="freshclam" name="fips_enabled" dev="proc"
> ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> type=AVC msg=audit(1550894180.137:3099): avc:  denied  { open }
> for  pid=11039 comm="freshclam" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=209 scontext=sysadm_u:sysadm_r:freshclam_t:s0-
> s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
> permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/services/clamav.te | 1 +
>  1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/services/clamav.te
> b/policy/modules/services/clamav.te
> index 622453e3..db4e0209 100644
> --- a/policy/modules/services/clamav.te
> +++ b/policy/modules/services/clamav.te
> @@ -202,6 +202,7 @@ stream_connect_pattern(freshclam_t,
> clamd_var_run_t, clamd_var_run_t, clamd_t)
>  read_files_pattern(freshclam_t, clamd_var_log_t, clamd_var_log_t)
>  
>  kernel_dontaudit_list_proc(freshclam_t)
> +kernel_read_crypto_sysctls(freshclam_t)
>  kernel_read_kernel_sysctls(freshclam_t)
>  kernel_read_network_state(freshclam_t)
>  kernel_read_system_state(freshclam_t)

Merged.

-- 
Chris PeBenito



^ permalink raw reply	[flat|nested] 15+ messages in thread

* Re: [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface
  2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
                   ` (4 preceding siblings ...)
  2019-02-25 23:37 ` [PATCH] Allow AIDE to read kernel sysctl_crypto_t Sugar, David
@ 2019-02-27  3:23 ` Chris PeBenito
  5 siblings, 0 replies; 15+ messages in thread
From: Chris PeBenito @ 2019-02-27  3:23 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On Mon, 2019-02-25 at 23:37 +0000, Sugar, David wrote:
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/services/clamav.if | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/services/clamav.if
> b/policy/modules/services/clamav.if
> index 3639d769..0dc1e23c 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -263,11 +263,11 @@ interface(`clamav_scannable_files',`
>  #
>  interface(`clamav_enabledisable_clamd',`
>  	gen_require(`
> -		type clamav_unit_t;
> +		type clamd_unit_t;
>  		class service { enable disable };
>  	')
>  
> -	allow $1 clamav_unit_t:service { enable disable };
> +	allow $1 clamd_unit_t:service { enable disable };
>  ')
>  
>  ########################################

Merged.

-- 
Chris PeBenito



^ permalink raw reply	[flat|nested] 15+ messages in thread

end of thread, back to index

Thread overview: 15+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-25 23:37 [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Sugar, David
2019-02-25 23:37 ` [PATCH] Allow freshclam to read sysctl_crypto_t Sugar, David
2019-02-27  3:22   ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Add interfaces to run freshclam Sugar, David
2019-02-27  3:22   ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to sendto kernel datagram socket Sugar, David
2019-02-26  6:52   ` Dominick Grift
2019-02-26 12:28     ` Sugar, David
2019-02-26 12:32       ` Dominick Grift
2019-02-27  3:21   ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to mmap files Sugar, David
2019-02-27  3:22   ` Chris PeBenito
2019-02-25 23:37 ` [PATCH] Allow AIDE to read kernel sysctl_crypto_t Sugar, David
2019-02-27  3:22   ` Chris PeBenito
2019-02-27  3:23 ` [PATCH] Fix incorrect type in clamav_enableddisable_clamd interface Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox