[selinux-policy: 1806/3172] trunk: 3 patches from dan.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 21:41:11 UTC 2010 

commit 14add30d03dd825962b13e551e6a8b3796a7edff
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Sep 12 14:53:39 2007 +0000

    trunk: 3 patches from dan.

 policy/modules/services/procmail.te |    7 ++++++-
 policy/modules/services/rhgb.te     |    3 ++-
 policy/modules/system/logging.fc    |    3 ++-
 policy/modules/system/logging.if    |   21 ++++++++++++++++++++-
 policy/modules/system/logging.te    |   10 +++++++---
 5 files changed, 37 insertions(+), 7 deletions(-)
---
diff --git a/policy/modules/services/procmail.te b/policy/modules/services/procmail.te
index 490eed4..6d0a04f 100644
--- a/policy/modules/services/procmail.te
+++ b/policy/modules/services/procmail.te
@@ -1,5 +1,5 @@
 
-policy_module(procmail,1.6.1)
+policy_module(procmail,1.6.2)
 
 ########################################
 #
@@ -27,6 +27,8 @@ allow procmail_t self:unix_dgram_socket create_socket_perms;
 allow procmail_t self:tcp_socket create_stream_socket_perms;
 allow procmail_t self:udp_socket create_socket_perms;
 
+can_exec(procmail_t,procmail_exec_t)
+
 allow procmail_t procmail_tmp_t:file manage_file_perms;
 files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
 
@@ -108,6 +110,9 @@ optional_policy(`
 	# for a bug in the postfix local program
 	postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
 	postfix_dontaudit_use_fds(procmail_t)
+	postfix_read_spool_files(procmail_t)
+	postfix_read_local_state(procmail_t)
+	postfix_read_master_state(procmail_t)
 ')
 
 optional_policy(`
diff --git a/policy/modules/services/rhgb.te b/policy/modules/services/rhgb.te
index 2fcb699..f5e8717 100644
--- a/policy/modules/services/rhgb.te
+++ b/policy/modules/services/rhgb.te
@@ -1,5 +1,5 @@
 
-policy_module(rhgb,1.4.0)
+policy_module(rhgb,1.4.1)
 
 ########################################
 #
@@ -106,6 +106,7 @@ sysnet_domtrans_ifconfig(rhgb_t)
 
 userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
 userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
+userdom_dontaudit_search_all_users_home_content(rhgb_t)
 
 xserver_read_xdm_xserver_tmp_files(rhgb_t)
 xserver_kill_xdm_xserver(rhgb_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 2f75efa..1224ba2 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -1,4 +1,3 @@
-
 /dev/log		-s	gen_context(system_u:object_r:devlog_t,s0)
 
 /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@@ -7,6 +6,8 @@
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /sbin/minilogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
+/sbin/rklogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
+/sbin/rsyslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 7841e71..3a56695 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -219,6 +219,25 @@ interface(`logging_manage_audit_log',`
 
 ########################################
 ## <summary>
+##	Execute klogd in the klog domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_domtrans_klog',`
+	gen_require(`
+		type klogd_t, klogd_exec_t;
+	')
+
+	corecmd_search_bin($1)
+	domtrans_pattern($1,klogd_exec_t,klogd_t)
+')
+
+########################################
+## <summary>
 ##	Execute syslogd in the syslog domain.
 ## </summary>
 ## <param name="domain">
@@ -470,7 +489,7 @@ interface(`logging_read_all_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
-	read_files_pattern($1,var_log_t,logfile)
+	read_files_pattern($1,logfile, logfile)
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 12332f0..b046377 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging,1.7.3)
+policy_module(logging,1.7.4)
 
 ########################################
 #
@@ -61,10 +61,10 @@ ifdef(`enable_mls',`
 
 ########################################
 #
-# Auditd local policy
+# Auditctl local policy
 #
 
-allow auditctl_t self:capability { audit_write audit_control };
+allow auditctl_t self:capability { fsetid dac_read_search dac_override audit_write audit_control };
 allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
 
 read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
@@ -72,6 +72,7 @@ allow auditctl_t auditd_etc_t:dir list_dir_perms;
 
 # Needed for adding watches
 files_getattr_all_dirs(auditctl_t)
+files_getattr_all_files(auditctl_t)
 files_read_etc_files(auditctl_t)
 
 kernel_read_kernel_sysctls(auditctl_t)
@@ -265,6 +266,8 @@ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
 
 # create/append log files.
 manage_files_pattern(syslogd_t,var_log_t,var_log_t)
+rw_fifo_files_pattern(syslogd_t,var_log_t,var_log_t)
+
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
 
@@ -330,6 +333,7 @@ init_use_fds(syslogd_t)
 domain_use_interactive_fds(syslogd_t)
 
 files_read_etc_files(syslogd_t)
+files_read_var_files(syslogd_t)
 files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dirs(syslogd_t)

More information about the scm-commits mailing list