SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH v2] New interface to dontaudit access to cert_t
  2019-02-20 16:37 [PATCH v2] Add interface to get status of rsyslog service Sugar, David
@ 2019-02-20 16:37 ` Sugar, David
  2019-02-21  3:40   ` Chris PeBenito
  2019-02-21  3:40 ` [PATCH v2] Add interface to get status of rsyslog service Chris PeBenito
  1 sibling, 1 reply; 4+ messages in thread
From: Sugar, David @ 2019-02-20 16:37 UTC (permalink / raw)
  To: selinux-refpolicy

I'm seeing a bunch of denials for various processes (some refpolicy
domains, some my own application domains) attempting to access
/etc/pki.  They seem to be working OK even with the denial.  The
tunable authlogin_nsswitch_use_ldap controls access to cert_t
(for domains that are part of nsswitch_domain attribute).  Use this
new interface when that tunable is off to quiet the denials.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/authlogin.te |  2 ++
 policy/modules/system/miscfiles.if | 21 +++++++++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 345e07f3..a98054c5 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -431,6 +431,8 @@ sysnet_dns_name_resolve(nsswitch_domain)
 tunable_policy(`authlogin_nsswitch_use_ldap',`
 	miscfiles_read_generic_certs(nsswitch_domain)
 	sysnet_use_ldap(nsswitch_domain)
+',`
+	miscfiles_dontaudit_read_generic_certs(nsswitch_domain)
 ')
 
 optional_policy(`
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 93c1f9c1..df11794a 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -131,6 +131,27 @@ interface(`miscfiles_read_generic_certs',`
 	read_lnk_files_pattern($1, cert_t, cert_t)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read generic SSL/TLS certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_read_generic_certs',`
+	gen_require(`
+		type cert_t;
+	')
+
+	dontaudit $1 cert_t:dir list_dir_perms;
+	dontaudit $1 cert_t:file read_file_perms;
+	dontaudit $1 cert_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage generic SSL/TLS certificates.
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v2] Add interface to get status of rsyslog service
@ 2019-02-20 16:37 Sugar, David
  2019-02-20 16:37 ` [PATCH v2] New interface to dontaudit access to cert_t Sugar, David
  2019-02-21  3:40 ` [PATCH v2] Add interface to get status of rsyslog service Chris PeBenito
  0 siblings, 2 replies; 4+ messages in thread
From: Sugar, David @ 2019-02-20 16:37 UTC (permalink / raw)
  To: selinux-refpolicy

Updated based on feedback.

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/logging.if | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 16091eb6..c86c4bd9 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -427,6 +427,25 @@ interface(`logging_domtrans_syslog',`
 	')
 ')
 
+########################################
+## <summary>
+##	Allow specified domain to check status of syslog unit
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_status_syslog',`
+	gen_require(`
+		type syslogd_unit_t;
+		class service status;
+	')
+
+	allow $1 syslogd_unit_t:service status;
+')
+
 ########################################
 ## <summary>
 ##	Set the attributes of syslog temporary files.
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] New interface to dontaudit access to cert_t
  2019-02-20 16:37 ` [PATCH v2] New interface to dontaudit access to cert_t Sugar, David
@ 2019-02-21  3:40   ` Chris PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2019-02-21  3:40 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On Wed, 2019-02-20 at 16:37 +0000, Sugar, David wrote:
> I'm seeing a bunch of denials for various processes (some refpolicy
> domains, some my own application domains) attempting to access
> /etc/pki.  They seem to be working OK even with the denial.  The
> tunable authlogin_nsswitch_use_ldap controls access to cert_t
> (for domains that are part of nsswitch_domain attribute).  Use this
> new interface when that tunable is off to quiet the denials.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/system/authlogin.te |  2 ++
>  policy/modules/system/miscfiles.if | 21 +++++++++++++++++++++
>  2 files changed, 23 insertions(+)
> 
> diff --git a/policy/modules/system/authlogin.te
> b/policy/modules/system/authlogin.te
> index 345e07f3..a98054c5 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -431,6 +431,8 @@ sysnet_dns_name_resolve(nsswitch_domain)
>  tunable_policy(`authlogin_nsswitch_use_ldap',`
>  	miscfiles_read_generic_certs(nsswitch_domain)
>  	sysnet_use_ldap(nsswitch_domain)
> +',`
> +	miscfiles_dontaudit_read_generic_certs(nsswitch_domain)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/system/miscfiles.if
> b/policy/modules/system/miscfiles.if
> index 93c1f9c1..df11794a 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -131,6 +131,27 @@ interface(`miscfiles_read_generic_certs',`
>  	read_lnk_files_pattern($1, cert_t, cert_t)
>  ')
>  
> +########################################
> +## <summary>
> +##	Do not audit attempts to read generic SSL/TLS certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_dontaudit_read_generic_certs',`
> +	gen_require(`
> +		type cert_t;
> +	')
> +
> +	dontaudit $1 cert_t:dir list_dir_perms;
> +	dontaudit $1 cert_t:file read_file_perms;
> +	dontaudit $1 cert_t:lnk_file read_lnk_file_perms;
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Manage generic SSL/TLS certificates.

Merged.

-- 
Chris PeBenito



^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] Add interface to get status of rsyslog service
  2019-02-20 16:37 [PATCH v2] Add interface to get status of rsyslog service Sugar, David
  2019-02-20 16:37 ` [PATCH v2] New interface to dontaudit access to cert_t Sugar, David
@ 2019-02-21  3:40 ` Chris PeBenito
  1 sibling, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2019-02-21  3:40 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On Wed, 2019-02-20 at 16:37 +0000, Sugar, David wrote:
> Updated based on feedback.
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>  policy/modules/system/logging.if | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/policy/modules/system/logging.if
> b/policy/modules/system/logging.if
> index 16091eb6..c86c4bd9 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -427,6 +427,25 @@ interface(`logging_domtrans_syslog',`
>  	')
>  ')
>  
> +########################################
> +## <summary>
> +##	Allow specified domain to check status of syslog unit
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`logging_status_syslog',`
> +	gen_require(`
> +		type syslogd_unit_t;
> +		class service status;
> +	')
> +
> +	allow $1 syslogd_unit_t:service status;
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Set the attributes of syslog temporary files.

Merged.

-- 
Chris PeBenito



^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-02-20 16:37 [PATCH v2] Add interface to get status of rsyslog service Sugar, David
2019-02-20 16:37 ` [PATCH v2] New interface to dontaudit access to cert_t Sugar, David
2019-02-21  3:40   ` Chris PeBenito
2019-02-21  3:40 ` [PATCH v2] Add interface to get status of rsyslog service Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox