SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH 0/3] Grant permissions to read fips_enabled
@ 2018-12-08 18:45 David Sugar
  2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
                   ` (2 more replies)
  0 siblings, 3 replies; 7+ messages in thread
From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw)
  To: selinux-refpolicy

Resoving a few issues with processed trying to read
/proc/sys/crypto/fips_enaled and being denied by SELinux policy.

Dave Sugar (3):
  Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
  Allow kmod to read /proc/sys/crypto/fips_enabled
  Allow dbus to access /proc/sys/crypto/fips_enabled

 policy/modules/services/dbus.te    | 2 ++
 policy/modules/services/xserver.te | 1 +
 policy/modules/system/modutils.te  | 1 +
 3 files changed, 4 insertions(+)

-- 
2.19.2


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
  2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar
@ 2018-12-08 18:45 ` David Sugar
  2018-12-11 22:54   ` Chris PeBenito
  2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar
  2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar
  2 siblings, 1 reply; 7+ messages in thread
From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw)
  To: selinux-refpolicy

type=AVC msg=audit(1543761322.221:211): avc:  denied  { search } for
pid=16826 comm="X" name="crypto" dev="proc" ino=10257
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543761322.221:211): avc:  denied  { read } for
pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.221:211): avc:  denied  { open } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543761322.222:212): avc:  denied  { getattr } for
pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/xserver.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 7d4c0c1b..425f7bd7 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -709,6 +709,7 @@ allow xserver_t xauth_home_t:file read_file_perms;
 manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
 logging_log_filetrans(xserver_t, xserver_log_t, file)
 
+kernel_read_crypto_sysctls(xserver_t)
 kernel_read_system_state(xserver_t)
 kernel_read_device_sysctls(xserver_t)
 kernel_read_modprobe_sysctls(xserver_t)
-- 
2.19.2


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 2/3] Allow kmod to read /proc/sys/crypto/fips_enabled
  2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar
  2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
@ 2018-12-08 18:45 ` " David Sugar
  2018-12-11 22:54   ` Chris PeBenito
  2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar
  2 siblings, 1 reply; 7+ messages in thread
From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw)
  To: selinux-refpolicy

type=AVC msg=audit(1543769402.716:165): avc:  denied  { search } for
pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769402.716:165): avc:  denied  { read } for
pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.716:165): avc:  denied  { open } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769402.717:166): avc:  denied  { getattr } for
pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
ino=10285 scontext=system_u:system_r:kmod_t:s0
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/modutils.te | 1 +
 1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
index a8125c17..73471401 100644
--- a/policy/modules/system/modutils.te
+++ b/policy/modules/system/modutils.te
@@ -58,6 +58,7 @@ can_exec(kmod_t, kmod_exec_t)
 
 kernel_load_module(kmod_t)
 kernel_request_load_module(kmod_t)
+kernel_read_crypto_sysctls(kmod_t)
 kernel_read_system_state(kmod_t)
 kernel_read_network_state(kmod_t)
 kernel_write_proc_files(kmod_t)
-- 
2.19.2


^ permalink raw reply	[flat|nested] 7+ messages in thread

* [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled
  2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar
  2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
  2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar
@ 2018-12-08 18:45 ` David Sugar
  2018-12-11 22:54   ` Chris PeBenito
  2 siblings, 1 reply; 7+ messages in thread
From: David Sugar @ 2018-12-08 18:45 UTC (permalink / raw)
  To: selinux-refpolicy

type=AVC msg=audit(1543769401.029:153): avc:  denied  { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc:  denied  { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1543845518.175:364): avc:  denied  { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc:  denied  { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/dbus.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4b1e25c6..ea0af022 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
 
 can_exec(system_dbusd_t, dbusd_exec_t)
 
+kernel_read_crypto_sysctls(system_dbusd_t)
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
 
@@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
 manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
 userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
 
+kernel_read_crypto_sysctls(session_bus_type)
 kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)
 
-- 
2.19.2


^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled
  2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
@ 2018-12-11 22:54   ` Chris PeBenito
  0 siblings, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw)
  To: David Sugar, selinux-refpolicy

On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543761322.221:211): avc:  denied  { search } for
> pid=16826 comm="X" name="crypto" dev="proc" ino=10257
> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543761322.221:211): avc:  denied  { read } for
> pid=16826 comm="X" name="fips_enabled" dev="proc" ino=10258
> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543761322.221:211): avc:  denied  { open } for
> pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543761322.222:212): avc:  denied  { getattr } for
> pid=16826 comm="X" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10258 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/xserver.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 7d4c0c1b..425f7bd7 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -709,6 +709,7 @@ allow xserver_t xauth_home_t:file read_file_perms;
>   manage_files_pattern(xserver_t, xserver_log_t, xserver_log_t)
>   logging_log_filetrans(xserver_t, xserver_log_t, file)
>   
> +kernel_read_crypto_sysctls(xserver_t)
>   kernel_read_system_state(xserver_t)
>   kernel_read_device_sysctls(xserver_t)
>   kernel_read_modprobe_sysctls(xserver_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 2/3] Allow kmod to read /proc/sys/crypto/fips_enabled
  2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar
@ 2018-12-11 22:54   ` Chris PeBenito
  0 siblings, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw)
  To: David Sugar, selinux-refpolicy

On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543769402.716:165): avc:  denied  { search } for
> pid=6716 comm="sysctl" name="crypto" dev="proc" ino=10284
> scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543769402.716:165): avc:  denied  { read } for
> pid=6716 comm="sysctl" name="fips_enabled" dev="proc" ino=10285
> scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769402.716:165): avc:  denied  { open } for
> pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10285 scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769402.717:166): avc:  denied  { getattr } for
> pid=6716 comm="sysctl" path="/proc/sys/crypto/fips_enabled" dev="proc"
> ino=10285 scontext=system_u:system_r:kmod_t:s0
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/modutils.te | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/policy/modules/system/modutils.te b/policy/modules/system/modutils.te
> index a8125c17..73471401 100644
> --- a/policy/modules/system/modutils.te
> +++ b/policy/modules/system/modutils.te
> @@ -58,6 +58,7 @@ can_exec(kmod_t, kmod_exec_t)
>   
>   kernel_load_module(kmod_t)
>   kernel_request_load_module(kmod_t)
> +kernel_read_crypto_sysctls(kmod_t)
>   kernel_read_system_state(kmod_t)
>   kernel_read_network_state(kmod_t)
>   kernel_write_proc_files(kmod_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 7+ messages in thread

* Re: [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled
  2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar
@ 2018-12-11 22:54   ` Chris PeBenito
  0 siblings, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2018-12-11 22:54 UTC (permalink / raw)
  To: David Sugar, selinux-refpolicy

On 12/8/18 1:45 PM, David Sugar wrote:
> type=AVC msg=audit(1543769401.029:153): avc:  denied  { search } for
> pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543769401.029:153): avc:  denied  { read } for
> pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769401.029:153): avc:  denied  { open } for
> pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543769401.029:154): avc:  denied  { getattr } for
> pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=10285
> scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> 
> type=AVC msg=audit(1543845518.175:364): avc:  denied  { search } for
> pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1543845518.175:364): avc:  denied  { read } for
> pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543845518.175:364): avc:  denied  { open } for
> pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1543845518.175:365): avc:  denied  { getattr } for
> pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
> dev="proc" ino=9289
> scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
> tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/dbus.te | 2 ++
>   1 file changed, 2 insertions(+)
> 
> diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
> index 4b1e25c6..ea0af022 100644
> --- a/policy/modules/services/dbus.te
> +++ b/policy/modules/services/dbus.te
> @@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
>   
>   can_exec(system_dbusd_t, dbusd_exec_t)
>   
> +kernel_read_crypto_sysctls(system_dbusd_t)
>   kernel_read_system_state(system_dbusd_t)
>   kernel_read_kernel_sysctls(system_dbusd_t)
>   
> @@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
>   manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
>   userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
>   
> +kernel_read_crypto_sysctls(session_bus_type)
>   kernel_read_system_state(session_bus_type)
>   kernel_read_kernel_sysctls(session_bus_type)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 7+ messages in thread

end of thread, back to index

Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-12-08 18:45 [PATCH 0/3] Grant permissions to read fips_enabled David Sugar
2018-12-08 18:45 ` [PATCH 1/3] Allow X (xserver_t) to read /proc/sys/crypto/fips_enabled David Sugar
2018-12-11 22:54   ` Chris PeBenito
2018-12-08 18:45 ` [PATCH 2/3] Allow kmod " David Sugar
2018-12-11 22:54   ` Chris PeBenito
2018-12-08 18:45 ` [PATCH 3/3] Allow dbus to access /proc/sys/crypto/fips_enabled David Sugar
2018-12-11 22:54   ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox