From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>,
"selinux-refpolicy@vger.kernel.org"
<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] yet more tiny stuff
Date: Wed, 23 Jan 2019 18:35:28 -0500 [thread overview]
Message-ID: <b86eaf41-ce56-4d3b-f10e-59ba726d77d6@ieee.org> (raw)
In-Reply-To: <20190121225928.GA2428@xev>
On 1/21/19 5:59 PM, Russell Coker wrote:
> I think this should be self-explanatory. I've added an audit trace for the
> sys_ptrace access that was previously rejected.
>
>
> Here is the audit log for sys_ptrace:
> type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
> type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
> type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
> type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc: denied { sys_ptrace } for pid=12750 comm=systemctl capability=sys_ptrace scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
>
> Index: refpolicy-2.20180701/policy/modules/apps/gpg.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/apps/gpg.te
> +++ refpolicy-2.20180701/policy/modules/apps/gpg.te
> @@ -184,11 +184,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - cron_system_entry(gpg_t, gpg_exec_t)
> - cron_read_system_job_tmp_files(gpg_t)
> -')
> -
> -optional_policy(`
> xserver_use_xdm_fds(gpg_t)
> xserver_rw_xdm_pipes(gpg_t)
> ')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -520,6 +520,7 @@ corenet_udp_sendrecv_all_ports(system_cr
> dev_getattr_all_blk_files(system_cronjob_t)
> dev_getattr_all_chr_files(system_cronjob_t)
> dev_getattr_mtrr_dev(system_cronjob_t)
> +dev_read_rand(system_cronjob_t)
> dev_read_urand(system_cronjob_t)
> dev_read_sysfs(system_cronjob_t)
> # for checkarray to write to sync_action
> @@ -551,6 +552,7 @@ files_read_var_lib_symlinks(system_cronj
> mls_file_read_to_clearance(system_cronjob_t)
>
> init_domtrans_script(system_cronjob_t)
> +init_read_generic_units_links(system_cronjob_t)
> init_read_utmp(system_cronjob_t)
> init_use_script_fds(system_cronjob_t)
>
> @@ -623,6 +625,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gpg_exec(system_cronjob_t)
> +')
> +
> +optional_policy(`
> inn_manage_log(system_cronjob_t)
> inn_manage_pid(system_cronjob_t)
> inn_read_config(system_cronjob_t)
> Index: refpolicy-2.20180701/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/init.if
> +++ refpolicy-2.20180701/policy/modules/system/init.if
> @@ -2962,6 +2962,25 @@ interface(`init_search_units',`
>
> ########################################
> ## <summary>
> +## Read systemd unit links
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_generic_units_links',`
> + gen_require(`
> + type systemd_unit_t;
> + class service status;
> + ')
> +
> + allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Get status of generic systemd units.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
> +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
> @@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket creat
> allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
>
> manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
> -files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)
> +manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
> +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file })
>
> kernel_read_network_state(irqbalance_t)
> kernel_read_system_state(irqbalance_t)
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
> # Local policy
> #
>
> -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> +# sys_ptrace is for systemctl
> +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
> # systemctl asks for net_admin
> dontaudit logrotate_t self:capability net_admin;
> allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
Merged.
--
Chris PeBenito
prev parent reply other threads:[~2019-01-24 0:02 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-21 22:59 [PATCH] yet more tiny stuff Russell Coker
2019-01-23 23:35 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b86eaf41-ce56-4d3b-f10e-59ba726d77d6@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).