1 |
commit: 876526eaec1af77abca0b1033ef863882dd92b48 |
2 |
Author: David Sugar <dsugar <AT> tresys <DOT> com> |
3 |
AuthorDate: Fri Nov 2 00:38:01 2018 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Nov 11 23:17:31 2018 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=876526ea |
7 |
|
8 |
Allow clamd_t to read /proc/sys/crypt/fips_enabled |
9 |
|
10 |
To fix the following denials: |
11 |
type=AVC msg=audit(1540821927.216:215): avc: denied { search } for |
12 |
pid=1726 comm="clamd" name="crypto" dev="proc" ino=68 |
13 |
scontext=system_u:system_r:clamd_t:s0 |
14 |
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=dir |
15 |
type=AVC msg=audit(1540821927.216:215): avc: denied { read } for |
16 |
pid=1726 comm="clamd" name="fips_enabled" dev="proc" ino=69 |
17 |
scontext=system_u:system_r:clamd_t:s0 |
18 |
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file |
19 |
type=AVC msg=audit(1540821927.216:215): avc: denied { open } for |
20 |
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc" |
21 |
ino=69 scontext=system_u:system_r:clamd_t:s0 |
22 |
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file |
23 |
type=AVC msg=audit(1540821927.216:216): avc: denied { getattr } for |
24 |
pid=1726 comm="clamd" path="/proc/sys/crypto/fips_enabled" dev="proc" |
25 |
ino=69 scontext=system_u:system_r:clamd_t:s0 |
26 |
tcontext=system_u:object_r:sysctl_crypto_t:s0 tclass=file |
27 |
|
28 |
Signed-off-by: Dave Sugar <dsugar <AT> tresys.com> |
29 |
Signed-off-by: Jason Zaman <jason <AT> perfinion.com> |
30 |
|
31 |
policy/modules/services/clamav.te | 1 + |
32 |
1 file changed, 1 insertion(+) |
33 |
|
34 |
diff --git a/policy/modules/services/clamav.te b/policy/modules/services/clamav.te |
35 |
index b8c53a58..b55bac56 100644 |
36 |
--- a/policy/modules/services/clamav.te |
37 |
+++ b/policy/modules/services/clamav.te |
38 |
@@ -104,6 +104,7 @@ manage_sock_files_pattern(clamd_t, clamd_var_run_t, clamd_var_run_t) |
39 |
files_pid_filetrans(clamd_t, clamd_var_run_t, { dir file sock_file }) |
40 |
|
41 |
kernel_dontaudit_list_proc(clamd_t) |
42 |
+kernel_read_crypto_sysctls(clamd_t) |
43 |
kernel_read_sysctl(clamd_t) |
44 |
kernel_read_kernel_sysctls(clamd_t) |
45 |
kernel_read_system_state(clamd_t) |