On 2/14/19 8:56 AM, Sugar, David wrote:
On 2/13/19 6:42 PM, Chris PeBenito wrote:
On 2/12/19 8:05 AM, Sugar, David wrote:
I'm seeing a bunch of denials for various processes (some refpolicy
domains, some my own application domains) attempting to access
/etc/pki. They seem to be working OK even with the denial. Adding
interface to dontaudit this stuff and calling the interface.
type=AVC msg=audit(1549932300.668:266): avc: denied { search } for
pid=7077 comm="X" name="pki" dev="dm-1" ino=138
scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
type=AVC msg=audit(1549932306.553:430): avc: denied { search } for
pid=7345 comm="clamd" name="pki" dev="dm-1" ino=138
scontext=system_u:system_r:clamd_t:s0:c1
tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
My guess is there is some common library between them (maybe glibc)
which is triggering this. It seems like this might potentially cover up
legitimate access. It's just hard to tell by just dir searches.
Digging into this I have found a few things, and please note that I am
not seeing this denial in permissive.
Looking at strace for clamd I see an attempt to open the (non-existent)
file /etc/pki/tls/legacy-settings. I think this would explain the
denial on dir search.
If I create that file (even empty) labeled cert_t I see denials (in
permissive) for clamd_t cert_t:file { getattr open read }.
audit2allow suggests the boolean 'authlogin_nsswitch_use_ldap' should
resolve the issue (for clamd_t). This makes sense as clamd uses the
interface auth_use_nsswitch(clamd_t).
So, assuming that I don't want to enable 'authlogin_nsswitch_use_ldap'
is there a way to quiet this denial?
The dontaudit could go in the else block for that tunable.
--
Chris PeBenito
