[selinux-policy: 435/3172] add logrotate, more low-hanging fruit

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 19:42:20 UTC 2010 

commit 96ce00afcc8e94416308e017c4c7bf0c03dd91cd
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Tue Jun 28 20:54:49 2005 +0000

    add logrotate, more low-hanging fruit

 refpolicy/policy/constraints                  |   13 ++-
 refpolicy/policy/modules/admin/consoletype.te |    4 +
 refpolicy/policy/modules/admin/logrotate.fc   |   16 +++
 refpolicy/policy/modules/admin/logrotate.if   |   84 +++++++++++++
 refpolicy/policy/modules/admin/logrotate.te   |  163 +++++++++++++++++++++++++
 refpolicy/policy/modules/services/cron.if     |   19 +++
 refpolicy/policy/modules/services/mta.te      |    4 +
 refpolicy/policy/modules/system/authlogin.if  |   13 ++
 refpolicy/policy/modules/system/files.if      |   15 ++-
 refpolicy/policy/modules/system/logging.if    |   51 ++++++++-
 refpolicy/policy/modules/system/userdomain.te |    4 +
 11 files changed, 379 insertions(+), 7 deletions(-)
---
diff --git a/refpolicy/policy/constraints b/refpolicy/policy/constraints
index d10a959..df25edb 100644
--- a/refpolicy/policy/constraints
+++ b/refpolicy/policy/constraints
@@ -37,9 +37,10 @@ constrain process transition
 ifdef(`crond.te', `
          or (t1 == crond_t and (t2 == user_crond_domain or u2 == system_u))
 ')
-ifdef(`TODO',`
 ifdef(`userhelper.te', 
-	`or (t1 == userhelperdomain)')
+	`or (t1 == userhelperdomain)
+')
+ifdef(`TODO',`
 	 or (t1 == priv_system_role and u2 == system_u )
 ') dnl end TODO
         );
@@ -52,13 +53,15 @@ constrain process transition
 ifdef(`crond.te', `
          or (t1 == crond_t and t2 == user_crond_domain)
 ')
-ifdef(`TODO',`
 ifdef(`userhelper.te', 
-	`or (t1 == userhelperdomain)')
+	`or (t1 == userhelperdomain)
+')
 ifdef(`postfix.te', `
 ifdef(`direct_sysadm_daemon',
-	`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )')
+	`or (t1 == sysadm_mail_t and t2 == system_mail_t and r2 == system_r )
+')
 ')
+ifdef(`TODO',`
 	 or (t1 == priv_system_role and r2 == system_r )
 ') dnl end TODO
         );
diff --git a/refpolicy/policy/modules/admin/consoletype.te b/refpolicy/policy/modules/admin/consoletype.te
index 66d899e..28dba7a 100644
--- a/refpolicy/policy/modules/admin/consoletype.te
+++ b/refpolicy/policy/modules/admin/consoletype.te
@@ -59,6 +59,10 @@ optional_policy(`authlogin.te', `
 	auth_read_pam_pid(consoletype_t)
 ')
 
+optional_policy(`logrotate.te',`
+	logrotate_dontaudit_use_fd(consoletype_t)
+')
+
 optional_policy(`nis.te',`
 	nis_use_ypbind(consoletype_t)
 ')
diff --git a/refpolicy/policy/modules/admin/logrotate.fc b/refpolicy/policy/modules/admin/logrotate.fc
new file mode 100644
index 0000000..618ff00
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logrotate.fc
@@ -0,0 +1,16 @@
+/etc/cron\.(daily|weekly)/sysklogd -- system_u:object_r:logrotate_exec_t
+
+/usr/sbin/logcheck	--	system_u:object_r:logrotate_exec_t
+/usr/sbin/logrotate	--	system_u:object_r:logrotate_exec_t
+
+/var/lib/logcheck(/.*)?		system_u:object_r:logrotate_var_lib_t
+
+# using a hard-coded name under /var/tmp is a bug - new version fixes it
+/var/tmp/logcheck	-d	system_u:object_r:logrotate_tmp_t
+
+ifdef(`distro_debian', `
+/usr/bin/savelog	--	system_u:object_r:logrotate_exec_t
+/var/lib/logrotate(/.*)?	system_u:object_r:logrotate_var_lib_t
+', `
+/var/lib/logrotate\.status --	system_u:object_r:logrotate_var_lib_t
+')
diff --git a/refpolicy/policy/modules/admin/logrotate.if b/refpolicy/policy/modules/admin/logrotate.if
new file mode 100644
index 0000000..134a886
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logrotate.if
@@ -0,0 +1,84 @@
+## <summary>Rotate and archive system logs</summary>
+
+########################################
+## <summary>
+##	Execute logrotate in the logrotate domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`logrotate_domtrans',`
+	gen_require(`
+		type logrotate_t, logrotate_exec_t;
+		class process sigchld;
+		class fd use;
+		class fifo_file rw_file_perms;
+	')
+
+	domain_auto_trans($1,logrotate_exec_t,logrotate_t)
+
+	allow $1 logrotate_t:fd use;
+	allow logrotate_t $1:fd use;
+	allow logrotate_t $1:fifo_file rw_file_perms;
+	allow logrotate_t $1:process sigchld;
+')
+
+########################################
+## <summary>
+##	Execute logrotate in the logrotate domain, and
+##	allow the specified role the logrotate domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+## <param name="role">
+##	The role to be allowed the logrotate domain.
+## </param>
+## <param name="terminal">
+##	The type of the terminal allow the logrotate domain to use.
+## </param>
+#
+interface(`logrotate_run',`
+	gen_require(`
+		type logrotate_t;
+		class chr_file rw_term_perms;
+	')
+
+	logrotate_domtrans($1)
+	role $2 types logrotate_t;
+	allow logrotate_t $3:chr_file rw_term_perms;
+')
+
+########################################
+## <summary>
+##	Execute logrotate in the caller domain.
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`logrotate_exec',`
+	gen_require(`
+		type logrotate_exec_t;
+	')
+
+	can_exec($1,logrotate_exec_t)
+')
+
+########################################
+## <summary>
+##	Do not audit attempts to inherit logrotate file descriptors.
+## </summary>
+## <param name="domain">
+##	The type of the process to not audit.
+## </param>
+#
+interface(`logrotate_dontaudit_use_fd',`
+	gen_require(`
+		type logrotate_t;
+		class fd;
+	')
+
+	dontaudit $1 logrotate_t:fd use;
+')
diff --git a/refpolicy/policy/modules/admin/logrotate.te b/refpolicy/policy/modules/admin/logrotate.te
new file mode 100644
index 0000000..e616644
--- /dev/null
+++ b/refpolicy/policy/modules/admin/logrotate.te
@@ -0,0 +1,163 @@
+
+policy_module(logrotate,1.0)
+
+########################################
+#
+# Declarations
+#
+
+type logrotate_t; #, priv_system_role, nscd_client_domain;
+domain_type(logrotate_t)
+domain_obj_id_change_exempt(logrotate_t)
+role system_r types logrotate_t;
+
+type logrotate_exec_t;
+files_file_type(logrotate_exec_t)
+
+type logrotate_tmp_t;
+files_tmp_file(logrotate_tmp_t)
+
+type logrotate_var_lib_t;
+files_file_type(logrotate_var_lib_t)
+
+########################################
+#
+# Local policy
+#
+
+# Change ownership on log files.
+allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
+# for mailx
+dontaudit logrotate_t self:capability { setuid setgid };
+
+allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem dyntransition };
+
+# Set a context other than the default one for newly created files.
+allow logrotate_t self:process setfscreate;
+
+allow logrotate_t self:fd use;
+allow logrotate_t self:fifo_file rw_file_perms;
+allow logrotate_t self:unix_dgram_socket create_socket_perms;
+allow logrotate_t self:unix_stream_socket create_stream_socket_perms;
+allow logrotate_t self:unix_dgram_socket sendto;
+allow logrotate_t self:unix_stream_socket connectto;
+allow logrotate_t self:shm create_shm_perms;
+allow logrotate_t self:sem create_sem_perms;
+allow logrotate_t self:msgq create_msgq_perms;
+allow logrotate_t self:msg { send receive };
+
+can_exec(logrotate_t, logrotate_tmp_t)
+
+allow logrotate_t logrotate_tmp_t:dir create_dir_perms;
+allow logrotate_t logrotate_tmp_t:file create_file_perms;
+files_create_tmp_files(logrotate_t, logrotate_tmp_t, { file dir })
+
+allow logrotate_t logrotate_var_lib_t:dir { create rw_dir_perms };
+
+kernel_read_system_state(logrotate_t)
+kernel_read_kernel_sysctl(logrotate_t)
+
+dev_read_urand(logrotate_t)
+
+fs_search_auto_mountpoints(logrotate_t)
+fs_getattr_xattr_fs(logrotate_t)
+
+selinux_get_fs_mount(logrotate_t)
+
+auth_manage_login_records(logrotate_t)
+
+# Run helper programs.
+corecmd_exec_bin(logrotate_t)
+corecmd_exec_sbin(logrotate_t)
+corecmd_exec_shell(logrotate_t)
+corecmd_exec_ls(logrotate_t)
+
+domain_signal_all_domains(logrotate_t)
+domain_use_wide_inherit_fd(logrotate_t)
+
+files_read_usr_files(logrotate_t)
+files_read_generic_etc_files(logrotate_t)
+files_read_etc_runtime_files(logrotate_t)
+files_manage_generic_lock_files(logrotate_t)
+files_read_all_pids(logrotate_t)
+# Write to /var/spool/slrnpull - should be moved into its own type.
+files_manage_spools(logrotate_t)
+files_manage_spool_dirs(logrotate_t)
+
+hostname_exec(logrotate_t)
+
+# cjp: why is this needed?
+init_domtrans_script(logrotate_t)
+
+logging_manage_all_logs(logrotate_t)
+# cjp: why is this needed?
+logging_exec_all_logs(logrotate_t)
+
+libs_use_ld_so(logrotate_t)
+libs_use_shared_libs(logrotate_t)
+
+miscfiles_read_localization(logrotate_t)
+
+sysnet_read_config(logrotate_t)
+
+userdom_use_unpriv_users_fd(logrotate_t)
+
+cron_system_entry(logrotate_t, logrotate_exec_t)
+cron_search_spool(logrotate_t)
+
+mta_send_mail(logrotate_t)
+
+ifdef(`distro_debian', `
+	allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto };
+	# for savelog
+	can_exec(logrotate_t, logrotate_exec_t)
+')
+
+optional_policy(`consoletype.te',`
+	consoletype_exec(logrotate_t)
+
+')
+
+optional_policy(`nis.te',`
+	nis_use_ypbind(logrotate_t)
+')
+
+ifdef(`TODO',`
+
+#from privmail this needs more work:
+allow mta_user_agent logrotate_t:fd use;
+allow mta_user_agent logrotate_t:process sigchld;
+allow mta_user_agent logrotate_t:fifo_file { read write };
+
+ifdef(`gnome-pty-helper.te', `allow logrotate_t sysadm_gph_t:fd use;')
+
+# it should not require this
+allow logrotate_t {staff_home_dir_t sysadm_home_dir_t}:dir { getattr read search };
+
+# Read /proc/PID directories for all domains.
+allow logrotate_t domain:notdevfile_class_set r_file_perms;
+allow logrotate_t domain:dir r_dir_perms;
+allow logrotate_t exec_type:file getattr;
+
+#this should go to squid:
+ifdef(`squid.te', `
+allow squid_t { system_crond_t crond_t }:fd use;
+allow squid_t crond_t:fifo_file { read write };
+allow squid_t system_crond_t:fifo_file write;
+allow squid_t self:capability kill;
+')
+
+# for /var/lib/logrotate.status and /var/lib/logcheck
+file_type_auto_trans(logrotate_t, var_lib_t, logrotate_var_lib_t, file)
+
+allow crond_t logrotate_var_lib_t:dir search;
+
+# for /var/backups on Debian
+ifdef(`backup.te', `
+rw_dir_create_file(logrotate_t, backup_store_t)
+')
+
+allow logrotate_t syslogd_t:unix_dgram_socket sendto;
+
+dontaudit logrotate_t selinux_config_t:dir search;
+') dnl end TODO
diff --git a/refpolicy/policy/modules/services/cron.if b/refpolicy/policy/modules/services/cron.if
index d611f0e..5c13c28 100644
--- a/refpolicy/policy/modules/services/cron.if
+++ b/refpolicy/policy/modules/services/cron.if
@@ -309,6 +309,7 @@ interface(`cron_system_entry',`
 ## <param name="domain">
 ##	The type of the process to performing this action.
 ## </param>
+#
 interface(`cron_rw_log',`
 	gen_require(`
 		type crond_log_t;
@@ -318,3 +319,21 @@ interface(`cron_rw_log',`
 	logging_search_logs($1)
 	allow $1 crond_log_t:file rw_file_perms;
 ')
+
+########################################
+## <summary>
+##	Search the directory containing user cron tables.
+## </summary>
+## <param name="domain">
+##	The type of the process to performing this action.
+## </param>
+#
+interface(`cron_search_spool',`
+	gen_require(`
+		type cron_spool_t;
+		class dir search;
+	')
+
+	files_search_spool($1)
+	allow $1 cron_spool_t:dir search;
+')
diff --git a/refpolicy/policy/modules/services/mta.te b/refpolicy/policy/modules/services/mta.te
index 2a3e676..0ac3e9f 100644
--- a/refpolicy/policy/modules/services/mta.te
+++ b/refpolicy/policy/modules/services/mta.te
@@ -222,4 +222,8 @@ allow system_mail_t system_crond_tmp_t:file r_file_perms;
 allow mta_user_agent system_crond_tmp_t:file r_file_perms;
 ')
 
+optional_policy(`logrotate.te', `
+	allow { system_mail_t mta_user_agent } logrotate_tmp_t:file r_file_perms;
+')
+
 ') dnl end TODO
diff --git a/refpolicy/policy/modules/system/authlogin.if b/refpolicy/policy/modules/system/authlogin.if
index 3df2761..6fcb4d0 100644
--- a/refpolicy/policy/modules/system/authlogin.if
+++ b/refpolicy/policy/modules/system/authlogin.if
@@ -640,3 +640,16 @@ interface(`auth_rw_login_records',`
 	logging_search_logs($1)
 ')
 
+#######################################
+#
+# auth_manage_login_records(domain)
+#
+interface(`auth_manage_login_records',`
+	gen_require(`
+		type wtmp_t;
+		class file create_file_perms;
+	')
+
+	logging_rw_log_dir($1)
+	allow $1 wtmp_t:file create_file_perms;
+')
diff --git a/refpolicy/policy/modules/system/files.if b/refpolicy/policy/modules/system/files.if
index 9f70fef..c28b1fb 100644
--- a/refpolicy/policy/modules/system/files.if
+++ b/refpolicy/policy/modules/system/files.if
@@ -1246,6 +1246,20 @@ interface(`files_list_spool',`
 
 ########################################
 #
+# files_manage_spool_dirs(domain)
+#
+interface(`files_manage_spool_dirs',`
+	gen_require(`
+		type var_t, var_spool_t;
+		class dir create_dir_perms;
+	')
+
+	allow $1 var_t:dir search;
+	allow $1 var_spool_t:dir create_dir_perms;
+')
+
+########################################
+#
 # files_read_spools(domain)
 #
 interface(`files_read_spools',`
@@ -1275,4 +1289,3 @@ interface(`files_manage_spools',`
 	allow $1 var_spool_t:dir rw_dir_perms;
 	allow $1 var_spool_t:file create_file_perms;
 ')
-
diff --git a/refpolicy/policy/modules/system/logging.if b/refpolicy/policy/modules/system/logging.if
index e3da815..07a65c5 100644
--- a/refpolicy/policy/modules/system/logging.if
+++ b/refpolicy/policy/modules/system/logging.if
@@ -79,6 +79,24 @@ interface(`logging_search_logs',`
 ')
 
 #######################################
+## <summary>
+##	Read and write the generic log directory (/var/log).
+## </summary>
+## <param name="domain">
+##	The type of the process performing this action.
+## </param>
+#
+interface(`logging_rw_log_dir',`
+	gen_require(`
+		type var_log_t;
+		class dir rw_dir_perms;
+	')
+
+	files_search_var($1)
+	allow $1 var_log_t:dir rw_dir_perms;
+')
+
+#######################################
 #
 # logging_dontaudit_getattr_all_logs(domain)
 #
@@ -127,6 +145,38 @@ interface(`logging_read_all_logs',`
 
 #######################################
 #
+# logging_exec_all_logs(domain)
+#
+interface(`logging_exec_all_logs',`
+	gen_require(`
+		attribute logfile;
+		class dir r_dir_perms;
+	')
+
+	files_search_var($1)
+	allow $1 logfile:dir r_dir_perms;
+	can_exec($1,logfile)
+')
+
+#######################################
+#
+# logging_manage_all_logs(domain)
+#
+interface(`logging_manage_all_logs',`
+	gen_require(`
+		attribute logfile;
+		class dir rw_dir_perms;
+		class file create_file_perms;
+	')
+
+	files_search_var($1)
+	allow $1 logfile:dir rw_dir_perms;
+	allow $1 logfile:lnk_file read;
+	allow $1 logfile:file create_file_perms;
+')
+
+#######################################
+#
 # logging_read_generic_logs(domain)
 #
 interface(`logging_read_generic_logs',`
@@ -172,4 +222,3 @@ interface(`logging_rw_generic_logs',`
 	allow $1 var_log_t:dir r_dir_perms;
 	allow $1 var_log_t:file rw_file_perms;
 ')
-
diff --git a/refpolicy/policy/modules/system/userdomain.te b/refpolicy/policy/modules/system/userdomain.te
index 2b757c8..8998808 100644
--- a/refpolicy/policy/modules/system/userdomain.te
+++ b/refpolicy/policy/modules/system/userdomain.te
@@ -110,6 +110,10 @@ optional_policy(`modutils.te',`
 	modutils_run_update_mods(sysadm_t,sysadm_r,admin_terminal)
 ')
 
+optional_policy(`logrotate.te',`
+	logrotate_run(sysadm_t,sysadm_r,admin_terminal)
+')
+
 optional_policy(`mount.te',`
 	mount_run(sysadm_t,sysadm_r,admin_terminal)
 ')

More information about the scm-commits mailing list