Add dontaudit to quiet down a bit

node=localhost type=AVC msg=audit(1702086779.746:35710): avc: denied { execute } for pid=2790 comm="cockpit-bridge" path=2F6D656D66643A6C6962666669202864656C6574656429 dev="tmpfs" ino=18 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:user_tmpfs_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1702086784.802:36735): avc: denied { execute } for pid=2849 comm="cockpit-bridge" path=2F726F6F742F23363535333931202864656C6574656429 dev="dm-1" ino=655391 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:default_t:s0 tclass=file permissive=0 /var/log/audit/audit.log:node=localhost type=AVC msg=audit(1702086784.803:36742): avc: denied { execute } for pid=2849 comm="cockpit-bridge" path=2F233330363834202864656C6574656429 dev="dm-1" ino=30684 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:etc_runtime_t:s0 tclass=file permissive=0 node=localhost type=AVC msg=audit(1702069242.629:385266): avc: denied { execute } for pid=5860 comm="cockpit-bridge" path=2F6465762F23373833202864656C6574656429 dev="devtmpfs" ino=783 scontext=sysadm_u:sysadm_r:sysadm_t:s0 tcontext=sysadm_u:object_r:device_t:s0 tclass=file permissive=0 Signed-off-by: Dave Sugar <dsugar100@gmail.com>
2023-12-10 21:00:33 -05:00 · 2023-12-10 21:00:33 -05:00 · b4d2d588f8
commit b4d2d588f8
parent fcfffd4a2c
4 changed files with 101 additions and 0 deletions
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@ -262,6 +262,24 @@ interface(`dev_dontaudit_list_all_dev_nodes',`
 	dontaudit $1 device_t:dir list_dir_perms;
 ')

+########################################
+## <summary>
+##	Dontaudit attempts to execute device nodes.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`dev_dontaudit_execute_dev_nodes',`
+	gen_require(`
+		type device_t;
+	')
+
+	dontaudit $1 device_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Add entries to directories in /dev.
--- a/policy/modules/kernel/files.if
+++ b/policy/modules/kernel/files.if
@ -2927,6 +2927,25 @@ interface(`files_dontaudit_read_default_files',`
 	dontaudit $1 default_t:file read_file_perms;
 ')

+########################################
+## <summary>
+##	Do not audit attempts to execute files
+##	with the default file type.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_execute_default_files',`
+	gen_require(`
+		type default_t;
+	')
+
+	dontaudit $1 default_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete files with
@ -3756,6 +3775,26 @@ interface(`files_dontaudit_read_etc_runtime_files',`
 	dontaudit $1 etc_runtime_t:file { getattr read };
 ')

+########################################
+## <summary>
+##	Do not audit attempts to execuite files
+##	in /etc that are dynamically
+##	created on boot, such as mtab.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_execuite_etc_runtime_files',`
+	gen_require(`
+		type etc_runtime_t;
+	')
+
+	dontaudit $1 etc_runtime_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Do not audit attempts to read files
@ -6925,6 +6964,24 @@ interface(`files_exec_runtime',`
 	exec_files_pattern($1, var_run_t, var_run_t)
 ')

+########################################
+## <summary>
+##	Dontaudit attempt to execute generic programs in /var/run in the caller domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`files_dontaudit_exec_runtime',`
+	gen_require(`
+		type var_run_t;
+	')
+
+	dontaudit $1 var_run_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic runtime files.
--- a/policy/modules/services/cockpit.if
+++ b/policy/modules/services/cockpit.if
@ -51,8 +51,16 @@ template(`cockpit_role_template',`

 	allow $2 $1_cockpit_tmpfs_t:file { manage_file_perms execute };

+	dev_dontaudit_execute_dev_nodes($2)
+
+	files_dontaudit_execute_default_files($2)
+	files_dontaudit_execuite_etc_runtime_files($2)
+	files_dontaudit_exec_runtime($2)
+
 	cockpit_use_ws_fds($2)
 	cockpit_rw_ws_stream_sockets($2)
+
+	userdom_dontaudit_execute_user_tmpfs_files($2)
 ')

 ########################################
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@ -3447,6 +3447,24 @@ interface(`userdom_dontaudit_read_user_tmpfs_files',`
 	dontaudit $1 user_tmpfs_t:dir list_dir_perms;
 ')

+########################################
+## <summary>
+##	dontaudit Execution attempts of user tmpfs files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_dontaudit_execute_user_tmpfs_files',`
+	gen_require(`
+		type user_tmpfs_t;
+	')
+
+	dontaudit $1 user_tmpfs_t:file execute;
+')
+
 ########################################
 ## <summary>
 ##	relabel to/from user tmpfs dirs