Gentoo Archives: gentoo-commits

From:	Jason Zaman <perfinion@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/services/
Date:	Sun, 11 Nov 2018 23:29:46
Message-Id:	`1541978251.876526eaec1af77abca0b1033ef863882dd92b48.perfinion@gentoo`

1	commit: 876526eaec1af77abca0b1033ef863882dd92b48
2	Author: David Sugar <dsugar <AT> tresys <DOT> com>
3	AuthorDate: Fri Nov 2 00:38:01 2018 +0000
4	Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org>
5	CommitDate: Sun Nov 11 23:17:31 2018 +0000
6	URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=876526ea
7
8	Allow clamd_t to read /proc/sys/crypt/fips_enabled
9
10	To fix the following denials:
11	type=AVC msg=audit(1540821927.216:215): avc: denied { search } for
12	pid=1726 comm="clamd" name="crypto" dev="proc" ino=68
13	scontext=system_u:system_r:clamd_t:s0
14	tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir
15	type=AVC msg=audit(1540821927.216:215): avc: denied { read } for
16	pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69
17	scontext=system_u:system_r:clamd_t:s0
18	tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
19	type=AVC msg=audit(1540821927.216:215): avc: denied { open } for
20	pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
21	ino=69 scontext=system_u:system_r:clamd_t:s0
22	tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
23	type=AVC msg=audit(1540821927.216:216): avc: denied { getattr } for
24	pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc"
25	ino=69 scontext=system_u:system_r:clamd_t:s0
26	tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file
27
28	Signed-off-by: Dave Sugar <dsugar <AT> tresys.com>
29	Signed-off-by: Jason Zaman <jason <AT> perfinion.com>
30
31	policy/modules/services/clamav.te \| 1 +
32	1 file changed, 1 insertion(+)
33
34	diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te
35	index b8c53a58..b55bac56 100644
36	--- a/policy/modules/services/clamav.te
37	+++ b/policy/modules/services/clamav.te
38	@@ -104,6 +104,7 @@ manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t)
39	files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file })
40
41	kernel_dontaudit_list_proc(clamd_t)
42	+kernel_read_crypto_sysctls(clamd_t)
43	kernel_read_sysctl(clamd_t)
44	kernel_read_kernel_sysctls(clamd_t)
45	kernel_read_system_state(clamd_t)

Report Message

Find on MARC Find on Google Groups