Written by: Martin Orr

Suppress AVCs due to fds that leak from hal
This deals with the following leaks:
  * /usr/lib/pm-utils/power.d/journal-commit running mount
  * anacron is run on wake-up/power-attachment

type=SYSCALL msg=audit(1280676943.928:12): arch=c000003e syscall=59 success=yes exit=0 a0=11652c0 a1=1164788 a2=1164fe8 a3=0 items=0 ppid=3052 pid=3063 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="mount" exe="/bin/mount" subj=system_u:system_r:mount_t:s0 key=(null)
type=AVC msg=audit(1280676943.928:12): avc:  denied  { read } for  pid=3063 comm="mount" path="/var/run/pm-utils/locks/pm-powersave.lock" dev=dm-0 ino=1249264 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:hald_var_run_t:s0 tclass=file
type=AVC msg=audit(1280676943.928:12): avc:  denied  { append } for  pid=3063 comm="mount" path="/var/log/pm-powersave.log" dev=dm-0 ino=828059 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:hald_log_t:s0 tclass=file
type=AVC msg=audit(1280676943.928:12): avc:  denied  { append } for  pid=3063 comm="mount" path="/var/log/pm-powersave.log" dev=dm-0 ino=828059 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:object_r:hald_log_t:s0 tclass=file
type=AVC msg=audit(1280676943.928:12): avc:  denied  { read } for  pid=3063 comm="mount" path="/proc/3052/mounts" dev=proc ino=16729 scontext=system_u:system_r:mount_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=file
----
type=SYSCALL msg=audit(1281782288.678:7): arch=c000003e syscall=59 success=yes exit=0 a0=13261e0 a1=1325010 a2=7fff6b8818b8 a3=0 items=0 ppid=3349 pid=4585 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sysklogd" exe="/bin/dash" subj=system_u:system_r:logrotate_t:s0 key=(null)
type=AVC msg=audit(1281782288.678:7): avc:  denied  { use } for  pid=4585 comm="sysklogd" path=2F7661722F72756E2F706D2D7574696C732F6C6F636B732F706D2D706F776572736176652E6C6F636B202864656C6574656429 dev=dm-0 ino=1249422 scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fd
----
type=SYSCALL msg=audit(1281782287.838:6): arch=c000003e syscall=59 success=yes exit=0 a0=13261e0 a1=1325010 a2=7fff6b8818b8 a3=0 items=0 ppid=3349 pid=4520 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="standard" exe="/bin/dash" subj=system_u:system_r:backup_t:s0 key=(null)
type=AVC msg=audit(1281782287.838:6): avc:  denied  { use } for  pid=4520 comm="standard" path=2F7661722F72756E2F706D2D7574696C732F6C6F636B732F706D2D706F776572736176652E6C6F636B202864656C6574656429 dev=dm-0 ino=1249422 scontext=system_u:system_r:backup_t:s0 tcontext=system_u:system_r:hald_t:s0 tclass=fd


Index: policy/modules/services/hal.if
===================================================================
--- policy/modules/services/hal.if.orig
+++ policy/modules/services/hal.if
@@ -56,6 +56,24 @@
 
 ########################################
 ## <summary>
+##	Do not audit attempts to read hal system state
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_read_state',`
+	gen_require(`
+		type hald_t;
+	')
+
+	dontaudit $1 hald_t:file read;
+')
+
+########################################
+## <summary>
 ##	Allow ptrace of hal domain
 ## </summary>
 ## <param name="domain">
@@ -376,6 +394,24 @@
 ')
 
 ########################################
+## <summary>
+##	Do not audit attempts to read hald PID files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit
+##	</summary>
+## </param>
+#
+interface(`hal_dontaudit_read_pid_files',`
+	gen_require(`
+		type hald_var_run_t;
+	')
+
+	dontaudit $1 hald_var_run_t:file read;
+')
+
+########################################
 ## <summary>
 ##	Read/Write hald PID files.
 ## </summary>
Index: policy/modules/system/mount.te
===================================================================
--- policy/modules/system/mount.te.orig
+++ policy/modules/system/mount.te
@@ -150,6 +150,15 @@
 	')
 ')
 
+ifdef(`distro_debian',`
+	optional_policy(`
+		# For /usr/lib/pm-utils/power.d/journal-commit
+		hal_dontaudit_read_pid_files(mount_t)
+		hal_dontaudit_read_state(mount_t)
+		hal_dontaudit_write_log(mount_t)
+	')
+')
+
 ifdef(`distro_ubuntu',`
 	optional_policy(`
 		unconfined_domain(mount_t)
Index: policy/modules/admin/logrotate.te
===================================================================
--- policy/modules/admin/logrotate.te.orig
+++ policy/modules/admin/logrotate.te
@@ -185,6 +185,10 @@
 ')
 
 optional_policy(`
+	hal_dontaudit_use_fds(logrotate_t)
+')
+
+optional_policy(`
 	hostname_exec(logrotate_t)
 ')
 
Index: policy/modules/admin/backup.te
===================================================================
--- policy/modules/admin/backup.te.orig
+++ policy/modules/admin/backup.te
@@ -83,6 +83,10 @@
 ')
 
 optional_policy(`
+	hal_dontaudit_use_fds(backup_t)
+')
+
+optional_policy(`
 	hostname_exec(backup_t)
 ')