Create interface selinux_watch_config and add it to SELinux users

Add interface watch the general SELinux configuration files and use it in the userdom_login_user_template, which is template for creating a login user. Adresses the following denials: type=PROCTITLE msg=audit(04/21/2023 09:46:01.146:401) : proctitle=/usr/sbin/restorecond -u type=PATH msg=audit(04/21/2023 09:46:01.146:401) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/21/2023 09:46:01.146:401) : cwd=/home/staff-user type=SYSCALL msg=audit(04/21/2023 09:46:01.146:401) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x561514d3a2e0 a2=0x42 a3=0x0 items=1 ppid=4599 pid=4717 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=3 comm=restorecond exe=/usr/sbin/restorecond subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(04/21/2023 09:46:01.146:401) : avc: denied { watch } for pid=4717 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(04/21/2023 09:55:38.472:584) : proctitle=/usr/sbin/restorecond -u type=PATH msg=audit(04/21/2023 09:55:38.472:584) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/21/2023 09:55:38.472:584) : cwd=/home/user-user type=SYSCALL msg=audit(04/21/2023 09:55:38.472:584) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x5633587ec2e0 a2=0x42 a3=0x0 items=1 ppid=8974 pid=9096 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=8 comm=restorecond exe=/usr/sbin/restorecond subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(04/21/2023 09:55:38.472:584) : avc: denied { watch } Resolves: RHEL-1555
fedora-selinux · Oct 6, 2023 · 5fa1700 · 5fa1700
1 parent 74fd8bb
commit 5fa1700
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
@@ -819,6 +819,25 @@ interface(`seutil_read_config',`
 	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
 ')
 
+########################################
+## <summary>
+##      Watch the general SELinux configuration files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`selinux_watch_config',`
+	gen_require(`
+		type selinux_config_t;
+	')
+
+	files_search_etc($1)
+	allow $1 selinux_config_t:file watch_file_perms;
+')
+
 ########################################
 ## <summary>
 ##	Read and write the general SELinux configuration files.

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
@@ -1188,6 +1188,7 @@ template(`userdom_login_user_template', `
 	miscfiles_exec_tetex_data($1_usertype)
 
 	seutil_read_config($1_usertype)
+	selinux_watch_config($1_usertype)
 	seutil_read_file_contexts($1_usertype)
 	seutil_read_default_contexts($1_usertype)
 	seutil_exec_setfiles($1_usertype)