nnd/selinux-refpolicy
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Allow auditctl_t to read bin_t symlinks.

Browse Source 
on RHEL7 insmod, rmmod, modprobe (and others?) are a symlinks
to ../bin/kmod.  But policy didn't allow auditctl_t to follow
that link.

type=AVC msg=audit(1543853530.925:141): avc:  denied  { read } for
pid=6937 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.925:143): avc:  denied  { read } for
pid=6937 comm="auditctl" name="rmmod" dev="dm-1" ino=628387
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853530.926:145): avc:  denied  { read } for
pid=6937 comm="auditctl" name="modprobe" dev="dm-1" ino=628386
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=0
type=AVC msg=audit(1543853797.766:60): avc:  denied  { read } for
pid=6942 comm="auditctl" name="insmod" dev="dm-1" ino=628383
scontext=system_u:system_r:auditctl_t:s0
tcontext=system_u:object_r:bin_t:s0 tclass=lnk_file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
This commit is contained in:
David Sugar 2018-12-07 00:20:11 +00:00 committed by Chris PeBenito
parent e73e9e7734
commit 6167b9b6e5
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
policy/modules/system/logging.te
View File

@ -107,6 +107,8 @@ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
allow auditctl_t auditd_etc_t:dir list_dir_perms;
dontaudit auditctl_t auditd_etc_t:file map;
corecmd_search_bin(auditctl_t)
# Needed for adding watches
files_getattr_all_dirs(auditctl_t)
files_getattr_all_files(auditctl_t)