From 69b2259c7ddedbd4d19279f62aa638dbbb923c47 Mon Sep 17 00:00:00 2001
From: Kenton Groombridge <me@concord.sh>
Date: Fri, 12 Mar 2021 20:31:12 -0500
Subject: [PATCH] various: several dontaudits

Signed-off-by: Kenton Groombridge <me@concord.sh>
---
 policy/modules/admin/sudo.if        |  3 +++
 policy/modules/services/ssh.te      |  1 +
 policy/modules/system/init.te       |  1 +
 policy/modules/system/logging.te    |  1 +
 policy/modules/system/systemd.te    |  9 +++++++++
 policy/modules/system/udev.te       |  2 ++
 policy/modules/system/userdomain.if | 19 +++++++++++++++++++
 7 files changed, 36 insertions(+)

diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index f8da0d878..adca75133 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -66,6 +66,7 @@ template(`sudo_role_template',`
 	allow $1_sudo_t self:unix_dgram_socket sendto;
 	allow $1_sudo_t self:unix_stream_socket connectto;
 	allow $1_sudo_t self:key manage_key_perms;
+	dontaudit $1_sudo_t self:capability { dac_read_search sys_ptrace };
 
 	allow $1_sudo_t $3:key search;
 
@@ -85,6 +86,7 @@ template(`sudo_role_template',`
 	kernel_read_kernel_sysctls($1_sudo_t)
 	kernel_read_system_state($1_sudo_t)
 	kernel_link_key($1_sudo_t)
+	kernel_dontaudit_getattr_proc($1_sudo_t)
 
 	corecmd_exec_all_executables($1_sudo_t)
 
@@ -142,6 +144,7 @@ template(`sudo_role_template',`
 	userdom_manage_user_tmp_symlinks($1_sudo_t)
 	userdom_setattr_user_ptys($1_sudo_t)
 	userdom_use_user_terminals($1_sudo_t)
+	userdom_dontaudit_rw_user_tmp_pipes($1_sudo_t)
 	# for some PAM modules and for cwd
 	userdom_dontaudit_search_user_home_content($1_sudo_t)
 	userdom_dontaudit_search_user_home_dirs($1_sudo_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 866108ffd..d4ef9c3cc 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -334,6 +334,7 @@ allow ssh_keygen_t sshd_key_t:file manage_file_perms;
 files_etc_filetrans(ssh_keygen_t, sshd_key_t, file)
 
 kernel_read_kernel_sysctls(ssh_keygen_t)
+kernel_dontaudit_getattr_proc(ssh_keygen_t)
 
 fs_search_auto_mountpoints(ssh_keygen_t)
 
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index f87be1877..32b48ec53 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -408,6 +408,7 @@ ifdef(`init_systemd',`
 	# If /etc/localtime is missing, a watch on /etc is added.
 	files_watch_etc_dirs(init_t)
 	files_watch_etc_symlinks(init_t)
+	files_dontaudit_write_var_dirs(init_t)
 
 	fs_relabel_cgroup_dirs(init_t)
 	fs_list_auto_mountpoints(init_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 86f69b236..d9063742d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -114,6 +114,7 @@ files_getattr_all_dirs(auditctl_t)
 files_getattr_all_files(auditctl_t)
 files_read_etc_files(auditctl_t)
 
+kernel_dontaudit_getattr_proc(auditctl_t)
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 kernel_setsched(auditctl_t)
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 814df1a91..83f886344 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -336,6 +336,8 @@ systemd_log_parse_environment(systemd_backlight_t)
 # Allow systemd-backlight to write to /sys/class/backlight/*/brightness
 dev_rw_sysfs(systemd_backlight_t)
 
+kernel_dontaudit_search_kernel_sysctl(systemd_backlight_t)
+
 # for udev.conf
 files_read_etc_files(systemd_backlight_t)
 
@@ -501,6 +503,7 @@ optional_policy(`
 allow systemd_hostnamed_t self:capability sys_admin;
 
 kernel_read_kernel_sysctls(systemd_hostnamed_t)
+kernel_dontaudit_getattr_proc(systemd_hostnamed_t)
 
 dev_read_sysfs(systemd_hostnamed_t)
 
@@ -617,6 +620,7 @@ allow systemd_logind_t systemd_sessions_runtime_t:dir manage_dir_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:file manage_file_perms;
 allow systemd_logind_t systemd_sessions_runtime_t:fifo_file manage_fifo_file_perms;
 
+kernel_dontaudit_getattr_proc(systemd_logind_t)
 kernel_read_kernel_sysctls(systemd_logind_t)
 
 dev_getattr_dri_dev(systemd_logind_t)
@@ -822,6 +826,7 @@ optional_policy(`
 kernel_load_module(systemd_modules_load_t)
 kernel_read_kernel_sysctls(systemd_modules_load_t)
 kernel_request_load_module(systemd_modules_load_t)
+kernel_dontaudit_getattr_proc(systemd_modules_load_t)
 
 dev_read_sysfs(systemd_modules_load_t)
 
@@ -858,6 +863,7 @@ kernel_read_kernel_sysctls(systemd_networkd_t)
 kernel_read_network_state(systemd_networkd_t)
 kernel_request_load_module(systemd_networkd_t)
 kernel_rw_net_sysctls(systemd_networkd_t)
+kernel_dontaudit_getattr_proc(systemd_networkd_t)
 
 corecmd_bin_entry_type(systemd_networkd_t)
 corecmd_exec_bin(systemd_networkd_t)
@@ -1196,6 +1202,7 @@ dev_read_sysfs(systemd_resolved_t)
 kernel_read_crypto_sysctls(systemd_resolved_t)
 kernel_read_kernel_sysctls(systemd_resolved_t)
 kernel_read_net_sysctls(systemd_resolved_t)
+kernel_dontaudit_getattr_proc(systemd_resolved_t)
 
 corenet_tcp_bind_generic_node(systemd_resolved_t)
 corenet_tcp_bind_dns_port(systemd_resolved_t)
@@ -1263,6 +1270,7 @@ allow systemd_sessions_t systemd_sessions_runtime_t:file manage_file_perms;
 files_runtime_filetrans(systemd_sessions_t, systemd_sessions_runtime_t, file)
 
 kernel_read_kernel_sysctls(systemd_sessions_t)
+kernel_dontaudit_getattr_proc(systemd_sessions_t)
 
 selinux_get_fs_mount(systemd_sessions_t)
 selinux_use_status_page(systemd_sessions_t)
@@ -1581,6 +1589,7 @@ fs_unmount_tmpfs(systemd_user_runtime_dir_t)
 fs_relabelfrom_tmpfs_dirs(systemd_user_runtime_dir_t)
 
 kernel_read_kernel_sysctls(systemd_user_runtime_dir_t)
+kernel_dontaudit_getattr_proc(systemd_user_runtime_dir_t)
 
 selinux_use_status_page(systemd_user_runtime_dir_t)
 
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 98d64ec38..d22524c81 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -131,6 +131,7 @@ files_exec_etc_files(udev_t)
 files_getattr_generic_locks(udev_t)
 files_search_mnt(udev_t)
 files_dontaudit_getattr_default_files(udev_t)
+files_dontaudit_getattr_home_dir(udev_t)
 files_dontaudit_getattr_lost_found_dirs(udev_t)
 files_dontaudit_getattr_tmp_dirs(udev_t)
 
@@ -199,6 +200,7 @@ sysnet_signal_dhcpc(udev_t)
 sysnet_manage_config(udev_t)
 sysnet_etc_filetrans_config(udev_t)
 
+userdom_dontaudit_getattr_user_home_dirs(udev_t)
 userdom_dontaudit_search_user_home_content(udev_t)
 
 ifdef(`distro_debian',`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index d9c376d81..978c1b875 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -3105,6 +3105,25 @@ interface(`userdom_manage_user_tmp_pipes',`
 	userdom_search_user_runtime($1)
 ')
 
+########################################
+## <summary>
+##	Do not audit attempts to read and write
+##	temporary pipes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_rw_user_tmp_pipes',`
+	gen_require(`
+		type user_tmp_t;
+	')
+
+	dontaudit $1 user_tmp_t:fifo_file rw_fifo_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete user