From 55c3fab8045142bceb17579961474f60ca0ad6bd Mon Sep 17 00:00:00 2001
From: David Sugar <dsugar@tresys.com>
Date: Sat, 8 Dec 2018 18:45:46 +0000
Subject: [PATCH] Allow dbus to access /proc/sys/crypto/fips_enabled

type=AVC msg=audit(1543769401.029:153): avc:  denied  { search } for
pid=6676 comm="dbus-daemon" name="crypto" dev="proc" ino=10284
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { read } for
pid=6676 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:153): avc:  denied  { open } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543769401.029:154): avc:  denied  { getattr } for
pid=6676 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=10285
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1543845518.175:364): avc:  denied  { search } for
pid=10300 comm="dbus-daemon" name="crypto" dev="proc" ino=9288
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { read } for
pid=10300 comm="dbus-daemon" name="fips_enabled" dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:364): avc:  denied  { open } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1543845518.175:365): avc:  denied  { getattr } for
pid=10300 comm="dbus-daemon" path="/proc/sys/crypto/fips_enabled"
dev="proc" ino=9289
scontext=sysadm_u:sysadm_r:sysadm_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/dbus.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/services/dbus.te b/policy/modules/services/dbus.te
index 4b1e25c6c..ea0af022d 100644
--- a/policy/modules/services/dbus.te
+++ b/policy/modules/services/dbus.te
@@ -89,6 +89,7 @@ files_pid_filetrans(system_dbusd_t, system_dbusd_var_run_t, { dir file })
 
 can_exec(system_dbusd_t, dbusd_exec_t)
 
+kernel_read_crypto_sysctls(system_dbusd_t)
 kernel_read_system_state(system_dbusd_t)
 kernel_read_kernel_sysctls(system_dbusd_t)
 
@@ -227,6 +228,7 @@ manage_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_ru
 manage_sock_files_pattern(session_bus_type, session_dbusd_runtime_t, session_dbusd_runtime_t)
 userdom_user_runtime_filetrans(session_bus_type, session_dbusd_runtime_t, { dir file sock_file })
 
+kernel_read_crypto_sysctls(session_bus_type)
 kernel_read_system_state(session_bus_type)
 kernel_read_kernel_sysctls(session_bus_type)