diff options
author | Nicolas Iooss <nicolas.iooss@m4x.org> | 2017-08-12 11:52:18 +0200 |
---|---|---|
committer | Luis Ressel <aranea@aixah.de> | 2017-09-09 00:31:19 +0200 |
commit | 275b185a8326fe4f0a779f80d29012311e3e216a (patch) | |
tree | f6ab570d91c54c1af34d231c1c4d716970a99d75 /policy/modules/system/logging.te | |
parent | Remove complement and wildcard in allow rules. (diff) | |
download | hardened-refpolicy-275b185a8326fe4f0a779f80d29012311e3e216a.tar.gz hardened-refpolicy-275b185a8326fe4f0a779f80d29012311e3e216a.tar.bz2 hardened-refpolicy-275b185a8326fe4f0a779f80d29012311e3e216a.zip |
audit: allow reading /etc/localtime
When auditctl logs a message to syslog, it needs to read /etc/localtime.
This is currently denied:
avc: denied { read } for pid=191 comm="auditctl" name="UTC"
dev="vda1" ino=394043 scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
avc: denied { open } for pid=191 comm="auditctl"
path="/usr/share/zoneinfo/UTC" dev="vda1" ino=394043
scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:locale_t tclass=file permissive=1
This occurs for example at boot time when "/usr/bin/augenrules --load"
is run [1]. Here is an extract of "strace -s 256 -f /usr/bin/augenrules
--load":
[pid 635] execve("/sbin/auditctl", ["/sbin/auditctl", "-R",
"/etc/audit/audit.rules"], 0x1e77d80 /* 16 vars */) = 0
...
[pid 635] open("/etc/audit/audit.rules", O_RDONLY) = -1 ENOENT (No
such file or directory)
[pid 635] open("/etc/localtime", O_RDONLY|O_CLOEXEC) = 4
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] fstat(4, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0"..., 4096) = 127
[pid 635] lseek(4, -71, SEEK_CUR) = 56
[pid 635] read(4, "TZif2\0\0\0\0\0\0\0\0\0\0\0", 4096) = 71
[pid 635] close(4) = 0
[pid 635] socket(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0) = 4
[pid 635] connect(4, {sa_family=AF_UNIX, sun_path="/dev/log"}, 110) = 0
[pid 635] sendto(4, "<14>Aug 12 08:59:53 auditctl: file
/etc/audit/audit.rules doesn't exist, skipping", 81, MSG_NOSIGNAL,
NULL, 0) = 81
[pid 635] exit_group(0) = ?
More precisely, auditctl uses vsyslog() from glibc, which uses
localtime_r() to fetch the time is in local timezone.
[1] On a systemd system, this command is automatically run by
auditd.service unit, cf.
https://github.com/linux-audit/audit-userspace/blob/v2.7.7/init.d/auditd.service#L21
Diffstat (limited to 'policy/modules/system/logging.te')
-rw-r--r-- | policy/modules/system/logging.te | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 2bd92da1..648bdf86 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -118,6 +118,8 @@ kernel_setsched(auditctl_t) domain_read_all_domains_state(auditctl_t) domain_use_interactive_fds(auditctl_t) +miscfiles_read_localization(auditctl_t) + mls_file_read_all_levels(auditctl_t) term_use_all_terms(auditctl_t) |