From 5fa1700b17fb1777da962f61515f89584de3e5e4 Mon Sep 17 00:00:00 2001 From: Nikola Knazekova Date: Fri, 6 Oct 2023 15:45:00 +0200 Subject: [PATCH] Create interface selinux_watch_config and add it to SELinux users Add interface watch the general SELinux configuration files and use it in the userdom_login_user_template, which is template for creating a login user. Adresses the following denials: type=PROCTITLE msg=audit(04/21/2023 09:46:01.146:401) : proctitle=/usr/sbin/restorecond -u type=PATH msg=audit(04/21/2023 09:46:01.146:401) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/21/2023 09:46:01.146:401) : cwd=/home/staff-user type=SYSCALL msg=audit(04/21/2023 09:46:01.146:401) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x561514d3a2e0 a2=0x42 a3=0x0 items=1 ppid=4599 pid=4717 auid=staff-user uid=staff-user gid=staff-user euid=staff-user suid=staff-user fsuid=staff-user egid=staff-user sgid=staff-user fsgid=staff-user tty=(none) ses=3 comm=restorecond exe=/usr/sbin/restorecond subj=staff_u:staff_r:staff_t:s0-s0:c0.c1023 key=(null) type=AVC msg=audit(04/21/2023 09:46:01.146:401) : avc: denied { watch } for pid=4717 comm=restorecond path=/etc/selinux/restorecond_user.conf dev="vda2" ino=17561326 scontext=staff_u:staff_r:staff_t:s0-s0:c0.c1023 tcontext=system_u:object_r:selinux_config_t:s0 tclass=file permissive=0 ---- type=PROCTITLE msg=audit(04/21/2023 09:55:38.472:584) : proctitle=/usr/sbin/restorecond -u type=PATH msg=audit(04/21/2023 09:55:38.472:584) : item=0 name=/etc/selinux/restorecond_user.conf inode=17561326 dev=fd:02 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0 type=CWD msg=audit(04/21/2023 09:55:38.472:584) : cwd=/home/user-user type=SYSCALL msg=audit(04/21/2023 09:55:38.472:584) : arch=x86_64 syscall=inotify_add_watch success=no exit=EACCES(Permission denied) a0=0x3 a1=0x5633587ec2e0 a2=0x42 a3=0x0 items=1 ppid=8974 pid=9096 auid=user-user uid=user-user gid=user-user euid=user-user suid=user-user fsuid=user-user egid=user-user sgid=user-user fsgid=user-user tty=(none) ses=8 comm=restorecond exe=/usr/sbin/restorecond subj=user_u:user_r:user_t:s0 key=(null) type=AVC msg=audit(04/21/2023 09:55:38.472:584) : avc: denied { watch } Resolves: RHEL-1555 --- policy/modules/system/selinuxutil.if | 19 +++++++++++++++++++ policy/modules/system/userdomain.if | 1 + 2 files changed, 20 insertions(+) diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if index c2344f4a1e..d9e9e36280 100644 --- a/policy/modules/system/selinuxutil.if +++ b/policy/modules/system/selinuxutil.if @@ -819,6 +819,25 @@ interface(`seutil_read_config',` read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) ') +######################################## +## +## Watch the general SELinux configuration files +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_watch_config',` + gen_require(` + type selinux_config_t; + ') + + files_search_etc($1) + allow $1 selinux_config_t:file watch_file_perms; +') + ######################################## ## ## Read and write the general SELinux configuration files. diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if index f8a18da9c8..cf79937dba 100644 --- a/policy/modules/system/userdomain.if +++ b/policy/modules/system/userdomain.if @@ -1188,6 +1188,7 @@ template(`userdom_login_user_template', ` miscfiles_exec_tetex_data($1_usertype) seutil_read_config($1_usertype) + selinux_watch_config($1_usertype) seutil_read_file_contexts($1_usertype) seutil_read_default_contexts($1_usertype) seutil_exec_setfiles($1_usertype)