New interface to dontaudit access to cert_t

I'm seeing a bunch of denials for various processes (some refpolicy domains, some my own application domains) attempting to access /etc/pki. They seem to be working OK even with the denial. The tunable authlogin_nsswitch_use_ldap controls access to cert_t (for domains that are part of nsswitch_domain attribute). Use this new interface when that tunable is off to quiet the denials. Signed-off-by: Dave Sugar <dsugar@tresys.com>
2019-02-20 16:37:46 +00:00 · 2019-02-20 16:37:46 +00:00 · 81c10b077a
commit 81c10b077a
parent d8492558b3
2 changed files with 23 additions and 0 deletions
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@ -431,6 +431,8 @@ sysnet_dns_name_resolve(nsswitch_domain)
 tunable_policy(`authlogin_nsswitch_use_ldap',`
 	miscfiles_read_generic_certs(nsswitch_domain)
 	sysnet_use_ldap(nsswitch_domain)
+',`
+	miscfiles_dontaudit_read_generic_certs(nsswitch_domain)
 ')

 optional_policy(`
--- a/policy/modules/system/miscfiles.if
+++ b/policy/modules/system/miscfiles.if
@ -131,6 +131,27 @@ interface(`miscfiles_read_generic_certs',`
 	read_lnk_files_pattern($1, cert_t, cert_t)
 ')

+########################################
+## <summary>
+##	Do not audit attempts to read generic SSL/TLS certificates.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`miscfiles_dontaudit_read_generic_certs',`
+	gen_require(`
+		type cert_t;
+	')
+
+	dontaudit $1 cert_t:dir list_dir_perms;
+	dontaudit $1 cert_t:file read_file_perms;
+	dontaudit $1 cert_t:lnk_file read_lnk_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Manage generic SSL/TLS certificates.