Skip to content

Commit

Permalink
Allow auditd read all domains process state
Browse files Browse the repository at this point in the history 
This is required by a recently added auditd feature that reads
/proc/*/sessionid of (presumably) various processes, namely the one
that sent a signal, to get additional information about the process
to be included into the audit message.

Reproducible e. g. with a log rotation request like this:
kill -USR1 `pidof auditd`

The commit addresses the following AVC denial:
type=PROCTITLE msg=audit(10/19/2023 10:47:09.559:323) : proctitle=/sbin/auditd
type=PATH msg=audit(10/19/2023 10:47:09.559:323) : item=0 name=/proc/4187/sessionid inode=30488 dev=00:14 mode=file,444 ouid=root ogid=root rdev=00:00 obj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=SYSCALL msg=audit(10/19/2023 10:47:09.559:323) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x7ffd03a75470 a2=O_RDONLY a3=0x0 items=1 ppid=1 pid=4555 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=auditd exe=/usr/sbin/auditd subj=system_u:system_r:auditd_t:s0 key=(null)
type=AVC msg=audit(10/19/2023 10:47:09.559:323) : avc:  denied  { open } for  pid=4555 comm=auditd path=/proc/4187/sessionid dev="proc" ino=30488 scontext=system_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(10/19/2023 10:47:09.559:323) : avc:  denied  { read } for  pid=4555 comm=auditd name=sessionid dev="proc" ino=30488 scontext=system_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file permissive=1
type=AVC msg=audit(10/19/2023 10:47:09.559:323) : avc:  denied  { search } for  pid=4555 comm=auditd name=4187 dev="proc" ino=28732 scontext=system_u:system_r:auditd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir permissive=1

Resolves: RHEL-14285
  • Loading branch information
@zpytela
zpytela committed Nov 20, 2023
1 parent b1374e9 commit 66627d5
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions policy/modules/system/logging.te
View file
Original file line number Diff line number Diff line change
Expand Up @@ -241,6 +241,7 @@ corenet_sendrecv_audit_server_packets(auditd_t)
corecmd_exec_bin(auditd_t)
corecmd_exec_shell(auditd_t)

domain_read_all_domains_state(auditd_t)
domain_use_interactive_fds(auditd_t)

files_read_etc_files(auditd_t)
Expand Down

0 comments on commit 66627d5

Please sign in to comment.