From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C03DEC43381 for ; Thu, 21 Feb 2019 03:40:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 797C620651 for ; Thu, 21 Feb 2019 03:40:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="LamRLy76" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726121AbfBUDku (ORCPT ); Wed, 20 Feb 2019 22:40:50 -0500 Received: from mail-pf1-f196.google.com ([209.85.210.196]:40664 "EHLO mail-pf1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726016AbfBUDkt (ORCPT ); Wed, 20 Feb 2019 22:40:49 -0500 Received: by mail-pf1-f196.google.com with SMTP id h1so13030655pfo.7 for ; Wed, 20 Feb 2019 19:40:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:subject:from:to:date:in-reply-to:references:user-agent :mime-version:content-transfer-encoding; bh=P3J2o6oVIUnaQI2gqprdyRKMuZe6R+pmv9sBHCOFhVc=; b=LamRLy76hdjcKppap3C3VzTJEvaNNUHxb/2dydAbuEU3ioADbDEmTz5oW4pew80zIo /Taw9mtHkDSLmIpBOq8lADs6sfBpvO33RhOiyJzGoD3dmPqk3EkiwOuBXcynU/SHptXG RFf7CBzE+UiLRZL589TIsrMtXDZq9j5S9DBPk= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:date:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=P3J2o6oVIUnaQI2gqprdyRKMuZe6R+pmv9sBHCOFhVc=; b=s4QBYvmL5QID34qTOl8X5I5PKNlvCo42LKPqXoOjZqe5w0TP5hnXcmHnA4o2CMKLdg VSBMsPq5yY3jy1ripIvpsI0VwZ1BYhOliKn35pSO/7fCPIQs3Sy5qcjx705djbEyFhFE 2Kj6w3ZkqKT9KCh0ahqHMRDacUosgEUTGqdRpFfSnLcaMDScuT+EVgzJogM8IN20QSn4 FseMCAdRXv9nrG+HjVsKGkrfY8zUoLoKOvElKEh25kiO/KR9N/KpDaQgTaS5/BZ5QF9O coCDAuWqzaoDKzdlsmA+leCoewBrwv7cVzCZSRfi1XGRF+VrBslxrnR9u1AtB9NaItGv wIOg== X-Gm-Message-State: AHQUAua5o8CYdSIzHZCk4jlzwXlEsjNutCjzQ5rWXGdca0HDeU3qiHo7 qaSgw36kYMltsOoWS05ejfeeWA== X-Google-Smtp-Source: AHgI3IYHBsQLcwxRQnBGlDpnjAtUw19R/i1vdUF2wjhF+iBJYqhTebM2m4z9I4QtczA4hUlokbVLdQ== X-Received: by 2002:a62:6d81:: with SMTP id i123mr25150148pfc.235.1550720448847; Wed, 20 Feb 2019 19:40:48 -0800 (PST) Received: from lenovo.pebenito.net ([173.239.195.15]) by smtp.gmail.com with ESMTPSA id z67sm15274123pfi.152.2019.02.20.19.40.47 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Wed, 20 Feb 2019 19:40:48 -0800 (PST) Message-ID: Subject: Re: [PATCH v2] New interface to dontaudit access to cert_t From: Chris PeBenito To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" Date: Wed, 20 Feb 2019 19:40:46 -0800 In-Reply-To: <20190220163709.27002-2-dsugar@tresys.com> References: <20190220163709.27002-1-dsugar@tresys.com> <20190220163709.27002-2-dsugar@tresys.com> Content-Type: text/plain; charset="UTF-8" User-Agent: Evolution 3.30.5 (3.30.5-1.fc29) MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Wed, 2019-02-20 at 16:37 +0000, Sugar, David wrote: > I'm seeing a bunch of denials for various processes (some refpolicy > domains, some my own application domains) attempting to access > /etc/pki. They seem to be working OK even with the denial. The > tunable authlogin_nsswitch_use_ldap controls access to cert_t > (for domains that are part of nsswitch_domain attribute). Use this > new interface when that tunable is off to quiet the denials. > > Signed-off-by: Dave Sugar > --- > policy/modules/system/authlogin.te | 2 ++ > policy/modules/system/miscfiles.if | 21 +++++++++++++++++++++ > 2 files changed, 23 insertions(+) > > diff --git a/policy/modules/system/authlogin.te > b/policy/modules/system/authlogin.te > index 345e07f3..a98054c5 100644 > --- a/policy/modules/system/authlogin.te > +++ b/policy/modules/system/authlogin.te > @@ -431,6 +431,8 @@ sysnet_dns_name_resolve(nsswitch_domain) > tunable_policy(`authlogin_nsswitch_use_ldap',` > miscfiles_read_generic_certs(nsswitch_domain) > sysnet_use_ldap(nsswitch_domain) > +',` > + miscfiles_dontaudit_read_generic_certs(nsswitch_domain) > ') > > optional_policy(` > diff --git a/policy/modules/system/miscfiles.if > b/policy/modules/system/miscfiles.if > index 93c1f9c1..df11794a 100644 > --- a/policy/modules/system/miscfiles.if > +++ b/policy/modules/system/miscfiles.if > @@ -131,6 +131,27 @@ interface(`miscfiles_read_generic_certs',` > read_lnk_files_pattern($1, cert_t, cert_t) > ') > > +######################################## > +## > +## Do not audit attempts to read generic SSL/TLS certificates. > +## > +## > +## > +## Domain to not audit. > +## > +## > +## > +# > +interface(`miscfiles_dontaudit_read_generic_certs',` > + gen_require(` > + type cert_t; > + ') > + > + dontaudit $1 cert_t:dir list_dir_perms; > + dontaudit $1 cert_t:file read_file_perms; > + dontaudit $1 cert_t:lnk_file read_lnk_file_perms; > +') > + > ######################################## > ## > ## Manage generic SSL/TLS certificates. Merged. -- Chris PeBenito