[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/admin/

Tue, 26 Mar 2019 03:17:56 -0700 

commit:     17daafd3ec8af0e3e870d7b9aa2e4a68dcd5d00c
Author:     Sugar, David <dsugar <AT> tresys <DOT> com>
AuthorDate: Mon Mar 11 16:02:29 2019 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Mon Mar 25 10:05:25 2019 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=17daafd3

Resolve denial while changing password

I'm seeing the following denials reading /proc/sys/crypto/fips_enabled
and sending message for logging.  This resolves those denials.

type=AVC msg=audit(1552222811.419:470): avc:  denied  { search } for  pid=7739 
comm="passwd" name="crypto" dev="proc" ino=2253 
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { read } for  pid=7739 
comm="passwd" name="fips_enabled" dev="proc" ino=2254 
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:470): avc:  denied  { open } for  pid=7739 
comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1
type=AVC msg=audit(1552222811.419:471): avc:  denied  { getattr } for  pid=7739 
comm="passwd" path="/proc/sys/crypto/fips_enabled" dev="proc" ino=2254 
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file permissive=1

type=AVC msg=audit(1552222811.431:476): avc:  denied  { sendto } for  pid=7739 
comm="passwd" path="/dev/log" 
scontext=sysadm_u:sysadm_r:passwd_t:s0-s0:c0.c1023 
tcontext=system_u:system_r:kernel_t:s0 tclass=unix_dgram_socket permissive=1

Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
Signed-off-by: Jason Zaman <jason <AT> perfinion.com>

 policy/modules/admin/usermanage.te | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/policy/modules/admin/usermanage.te 
b/policy/modules/admin/usermanage.te
index a91c0b7c..0f874b1a 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -304,6 +304,8 @@ allow passwd_t self:msg { send receive };
 allow passwd_t crack_db_t:dir list_dir_perms;
 read_files_pattern(passwd_t, crack_db_t, crack_db_t)
 
+kernel_dgram_send(passwd_t)
+kernel_read_crypto_sysctls(passwd_t)
 kernel_read_kernel_sysctls(passwd_t)
 
 # for SSP

Reply via email to