SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] Resolve denial while changing password
@ 2019-03-11 16:02 Sugar, David
  2019-03-12  0:57 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Sugar, David @ 2019-03-11 16:02 UTC (permalink / raw)
  To: selinux-refpolicy

I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging.  This resolves those denials.

type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index b4f8c78c..9d17645f 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive };
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
 
+kernel_dgram_send(passwd_t)
+kernel_read_crypto_sysctls(passwd_t)
 kernel_read_kernel_sysctls(passwd_t)
 
 # for SSP
-- 
2.20.1


^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] Resolve denial while changing password
  2019-03-11 16:02 [PATCH] Resolve denial while changing password Sugar, David
@ 2019-03-12  0:57 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2019-03-12  0:57 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 3/11/19 12:02 PM, Sugar, David wrote:
> I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
> and sending message for logging.  This resolves those denials.
> 
> type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 comm="passwd" name="crypto" dev="proc" ino=2253 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 comm="passwd" name="fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> 
> type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 comm="passwd" path="/dev/log" scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/admin/usermanage.te | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index b4f8c78c..9d17645f 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive };
>   allow passwd_t crack_db_t:dir list_dir_perms;
>   read_files_pattern(passwd_t, crack_db_t, crack_db_t)
>   
> +kernel_dgram_send(passwd_t)
> +kernel_read_crypto_sysctls(passwd_t)
>   kernel_read_kernel_sysctls(passwd_t)
>   
>   # for SSP

Merged.  I added a comment for the /dev/log usage.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-03-11 16:02 [PATCH] Resolve denial while changing password Sugar, David
2019-03-12  0:57 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox