I'm seeing a bunch of denials for various processes (some refpolicy domains, some my own application domains) attempting to access /etc/pki. They seem to be working OK even with the denial. The tunable authlogin_nsswitch_use_ldap controls access to cert_t (for domains that are part of nsswitch_domain attribute). Use this new interface when that tunable is off to quiet the denials. Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx> --- policy/modules/system/authlogin.te | 2 ++ policy/modules/system/miscfiles.if | 21 +++++++++++++++++++++ 2 files changed, 23 insertions(+) diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te index 345e07f3..a98054c5 100644 --- a/policy/modules/system/authlogin.te +++ b/policy/modules/system/authlogin.te @@ -431,6 +431,8 @@ sysnet_dns_name_resolve(nsswitch_domain) tunable_policy(`authlogin_nsswitch_use_ldap',` miscfiles_read_generic_certs(nsswitch_domain) sysnet_use_ldap(nsswitch_domain) +',` + miscfiles_dontaudit_read_generic_certs(nsswitch_domain) ') optional_policy(` diff --git a/policy/modules/system/miscfiles.if b/policy/modules/system/miscfiles.if index 93c1f9c1..df11794a 100644 --- a/policy/modules/system/miscfiles.if +++ b/policy/modules/system/miscfiles.if @@ -131,6 +131,27 @@ interface(`miscfiles_read_generic_certs',` read_lnk_files_pattern($1, cert_t, cert_t) ') +######################################## +## <summary> +## Do not audit attempts to read generic SSL/TLS certificates. +## </summary> +## <param name="domain"> +## <summary> +## Domain to not audit. +## </summary> +## </param> +## <rolecap/> +# +interface(`miscfiles_dontaudit_read_generic_certs',` + gen_require(` + type cert_t; + ') + + dontaudit $1 cert_t:dir list_dir_perms; + dontaudit $1 cert_t:file read_file_perms; + dontaudit $1 cert_t:lnk_file read_lnk_file_perms; +') + ######################################## ## <summary> ## Manage generic SSL/TLS certificates. -- 2.20.1
