On 2/12/19 8:05 AM, Sugar, David wrote:
I'm seeing a bunch of denials for various processes (some refpolicy
domains, some my own application domains) attempting to access
/etc/pki. They seem to be working OK even with the denial. Adding
interface to dontaudit this stuff and calling the interface.
type=AVC msg=audit(1549932300.668:266): avc: denied { search } for pid=7077 comm="X" name="pki" dev="dm-1" ino=138 scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1549932306.553:430): avc: denied { search } for pid=7345 comm="clamd" name="pki" dev="dm-1" ino=138 scontext=system_u:system_r:clamd_t:s0:c1 tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
My guess is there is some common library between them (maybe glibc)
which is triggering this. It seems like this might potentially cover up
legitimate access. It's just hard to tell by just dir searches.
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/services/clamav.te | 1 +
policy/modules/services/xserver.te | 1 +
policy/modules/system/miscfiles.if | 20 ++++++++++++++++++++
3 files changed, 22 insertions(+)
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
index 622453e3..ad19cc7b 100644
--- a/policy/modules/services/clamav.te
+++ b/policy/modules/services/clamav.te
@@ -147,6 +147,7 @@ auth_use_nsswitch(clamd_t)
logging_send_syslog_msg(clamd_t)
+miscfiles_dontaudit_search_generic_certs(clamd_t)
miscfiles_read_localization(clamd_t)
tunable_policy(`clamd_use_jit',`
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a2b08a89..da1c0c7d 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -804,6 +804,7 @@ locallogin_use_fds(xserver_t)
logging_send_syslog_msg(xserver_t)
logging_send_audit_msgs(xserver_t)
+miscfiles_dontaudit_search_generic_certs(xserver_t)
miscfiles_read_localization(xserver_t)
miscfiles_read_fonts(xserver_t)
diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if
index 93c1f9c1..cecdb406 100644
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@@ -131,6 +131,26 @@ interface(`miscfiles_read_generic_certs',`
read_lnk_files_pattern($1, cert_t, cert_t)
')
+########################################
+## <summary>
+## Do not audit attempts to search
+## on a generic certs directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_search_generic_certs',`
+ gen_require(`
+ type cert_t;
+ ')
+
+ dontaudit $1 cert_t:dir search;
+')
+
########################################
## <summary>
## Manage generic SSL/TLS certificates.
--
Chris PeBenito
