logging: Various audit tools (auditctl, ausearch, etc) map their config and logs

Those mmap() calls are non-essential, though. They're issued by fdopen(), which can also fall back to read(). Since there are few reasons to grant read access to audit logs other than for using ausearch, I've added the dontaudits directly to the relevant read interfaces.
2017-09-12 04:40:46 +02:00 · 2017-09-12 04:40:46 +02:00 · 487de20913
commit 487de20913
parent ec27acdf1f
2 changed files with 13 additions and 0 deletions
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@ -142,6 +142,8 @@ interface(`logging_read_audit_log',`
 	files_search_var($1)
 	read_files_pattern($1, auditd_log_t, auditd_log_t)
 	allow $1 auditd_log_t:dir list_dir_perms;
+
+	dontaudit $1 auditd_log_t:file map;
 ')

 ########################################
@ -338,6 +340,8 @@ interface(`logging_manage_audit_config',`

 	files_search_etc($1)
 	manage_files_pattern($1, auditd_etc_t, auditd_etc_t)
+
+	dontaudit $1 auditd_etc_t:file map;
 ')

 ########################################
@ -359,6 +363,8 @@ interface(`logging_manage_audit_log',`
 	files_search_var($1)
 	manage_dirs_pattern($1, auditd_log_t, auditd_log_t)
 	manage_files_pattern($1, auditd_log_t, auditd_log_t)
+
+	dontaudit $1 auditd_log_t:file map;
 ')

 ########################################
@ -670,6 +676,8 @@ interface(`logging_read_audit_config',`
 	files_search_etc($1)
 	read_files_pattern($1, auditd_etc_t, auditd_etc_t)
 	allow $1 auditd_etc_t:dir list_dir_perms;
+
+	dontaudit $1 auditd_etc_t:file map;
 ')

 ########################################
@ -1206,6 +1214,9 @@ interface(`logging_admin_audit',`
 	logging_run_auditctl($1, $2)

 	init_startstop_service($1, $2, auditd_t, auditd_initrc_exec_t, auditd_unit_t)
+
+	dontaudit $1 auditd_etc_t:file map;
+	dontaudit $1 auditd_log_t:file map;
 ')

 ########################################
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -105,6 +105,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;

 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
+dontaudit auditctl_t auditd_etc_t:file map;

 # Needed for adding watches
 files_getattr_all_dirs(auditctl_t)
@ -152,6 +153,7 @@ allow auditd_t self:tcp_socket create_stream_socket_perms;

 allow auditd_t auditd_etc_t:dir list_dir_perms;
 allow auditd_t auditd_etc_t:file read_file_perms;
+dontaudit auditd_t auditd_etc_t:file map;

 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t auditd_log_t:dir setattr;