Re: [PATCH v2] New interface to dontaudit access to cert_t

Chris PeBenito <pebenito@xxxxxxxx> · Wed, 20 Feb 2019 19:40:46 -0800

On Wed, 2019-02-20 at 16:37 +0000, Sugar, David wrote:
> I'm seeing a bunch of denials for various processes (some refpolicy
> domains, some my own application domains) attempting to access
> /etc/pki.  They seem to be working OK even with the denial.  The
> tunable authlogin_nsswitch_use_ldap controls access to cert_t
> (for domains that are part of nsswitch_domain attribute).  Use this
> new interface when that tunable is off to quiet the denials.
> 
> Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
> ---
>  policy/modules/system/authlogin.te |  2 ++
>  policy/modules/system/miscfiles.if | 21 +++++++++++++++++++++
>  2 files changed, 23 insertions(+)
> 
> diff --git a/policy/modules/system/authlogin.te
> b/policy/modules/system/authlogin.te
> index 345e07f3..a98054c5 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -431,6 +431,8 @@ sysnet_dns_name_resolve(nsswitch_domain)
>  tunable_policy(`authlogin_nsswitch_use_ldap',`
>  	miscfiles_read_generic_certs(nsswitch_domain)
>  	sysnet_use_ldap(nsswitch_domain)
> +',`
> +	miscfiles_dontaudit_read_generic_certs(nsswitch_domain)
>  ')
>  
>  optional_policy(`
> diff --git a/policy/modules/system/miscfiles.if
> b/policy/modules/system/miscfiles.if
> index 93c1f9c1..df11794a 100644
> --- a/policy/modules/system/miscfiles.if
> +++ b/policy/modules/system/miscfiles.if
> @@ -131,6 +131,27 @@ interface(`miscfiles_read_generic_certs',`
>  	read_lnk_files_pattern($1, cert_t, cert_t)
>  ')
>  
> +########################################
> +## <summary>
> +##	Do not audit attempts to read generic SSL/TLS certificates.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`miscfiles_dontaudit_read_generic_certs',`
> +	gen_require(`
> +		type cert_t;
> +	')
> +
> +	dontaudit $1 cert_t:dir list_dir_perms;
> +	dontaudit $1 cert_t:file read_file_perms;
> +	dontaudit $1 cert_t:lnk_file read_lnk_file_perms;
> +')
> +
>  ########################################
>  ## <summary>
>  ##	Manage generic SSL/TLS certificates.

Merged.

-- 
Chris PeBenito