On 2/16/19 2:40 PM, Chris PeBenito wrote:
> On 2/14/19 8:56 AM, Sugar, David wrote:
>>
>>
>> On 2/13/19 6:42 PM, Chris PeBenito wrote:
>>> On 2/12/19 8:05 AM, Sugar, David wrote:
>>>> I'm seeing a bunch of denials for various processes (some refpolicy
>>>> domains, some my own application domains) attempting to access
>>>> /etc/pki. They seem to be working OK even with the denial. Adding
>>>> interface to dontaudit this stuff and calling the interface.
>>>>
>>>> type=AVC msg=audit(1549932300.668:266): avc: denied { search } for
>>>> pid=7077 comm="X" name="pki" dev="dm-1" ino=138
>>>> scontext=system_u:system_r:xserver_t:s0-s0:c0.c1023
>>>> tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
>>>> type=AVC msg=audit(1549932306.553:430): avc: denied { search } for
>>>> pid=7345 comm="clamd" name="pki" dev="dm-1" ino=138
>>>> scontext=system_u:system_r:clamd_t:s0:c1
>>>> tcontext=system_u:object_r:cert_t:s0 tclass=dir permissive=0
>>>
>>> My guess is there is some common library between them (maybe glibc)
>>> which is triggering this. It seems like this might potentially cover up
>>> legitimate access. It's just hard to tell by just dir searches.
>>>
>>
>> Digging into this I have found a few things, and please note that I am
>> not seeing this denial in permissive.
>>
>> Looking at strace for clamd I see an attempt to open the (non-existent)
>> file /etc/pki/tls/legacy-settings. I think this would explain the
>> denial on dir search.
>>
>> If I create that file (even empty) labeled cert_t I see denials (in
>> permissive) for clamd_t cert_t:file { getattr open read }.
>>
>> audit2allow suggests the boolean 'authlogin_nsswitch_use_ldap' should
>> resolve the issue (for clamd_t). This makes sense as clamd uses the
>> interface auth_use_nsswitch(clamd_t).
>>
>> So, assuming that I don't want to enable 'authlogin_nsswitch_use_ldap'
>> is there a way to quiet this denial?
>
> The dontaudit could go in the else block for that tunable.
>
That works for me. In this case though, should I leave the interface as
proposed before or would it be more preferable to don't audit access to
cert_t files along with directories?
So change the interface to miscfiles_dontaudit_read_generic_certs and
include dontaudit rules for list_dir_perms, read_file_perms,
read_lnk_file_perms.
