[selinux-policy: 2545/3172] Logging patch from Dan Walsh.

Daniel J Walsh dwalsh at fedoraproject.org
Thu Oct 7 22:46:12 UTC 2010 

commit 7a8807b627416b4836a2fe25fb9c854c5e42641e
Author: Chris PeBenito <cpebenito at tresys.com>
Date:   Wed Mar 17 14:40:06 2010 -0400

    Logging patch from Dan Walsh.

 policy/modules/system/logging.fc |    4 ++++
 policy/modules/system/logging.if |   14 ++++++++++++++
 policy/modules/system/logging.te |   37 +++++++++++++++++++++++++++----------
 3 files changed, 45 insertions(+), 10 deletions(-)
---
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index b5e845a..362614c 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -51,6 +51,7 @@ ifndef(`distro_gentoo',`
 
 ifdef(`distro_redhat',`
 /var/named/chroot/var/log -d	gen_context(system_u:object_r:var_log_t,s0)
+/var/named/chroot/dev/log -s	gen_context(system_u:object_r:devlog_t,s0)
 ')
 
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
@@ -62,6 +63,9 @@ ifdef(`distro_redhat',`
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 
+/var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 /var/spool/postfix/pid	-d	gen_context(system_u:object_r:var_run_t,s0)
+/var/spool/plymouth/boot.log	gen_context(system_u:object_r:var_log_t,s0)
+/var/spool/rsyslog(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)
 
 /var/tinydns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 50c6bae..fa5684a 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -96,6 +96,20 @@ interface(`logging_set_loginuid',`
 
 ########################################
 ## <summary>
+##	Set tty auditing
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_set_tty_audit',`
+	allow $1 self:netlink_audit_socket { r_netlink_socket_perms nlmsg_tty_audit };
+')
+
+########################################
+## <summary>
 ##	Set up audit
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f6ba06c..1b05b64 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
 
-policy_module(logging, 1.15.1)
+policy_module(logging, 1.15.2)
 
 ########################################
 #
@@ -101,6 +101,7 @@ files_read_etc_files(auditctl_t)
 
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
+kernel_setsched(auditctl_t)
 
 domain_read_all_domains_state(auditctl_t)
 domain_use_interactive_fds(auditctl_t)
@@ -123,10 +124,10 @@ logging_send_syslog_msg(auditctl_t)
 
 allow auditd_t self:capability { chown fsetid sys_nice sys_resource };
 dontaudit auditd_t self:capability sys_tty_config;
-allow auditd_t self:process { signal_perms setpgid setsched };
+allow auditd_t self:process { getcap signal_perms setcap setpgid setsched };
 allow auditd_t self:file rw_file_perms;
 allow auditd_t self:unix_dgram_socket create_socket_perms;
-allow auditd_t self:fifo_file rw_file_perms;
+allow auditd_t self:fifo_file rw_fifo_file_perms;
 allow auditd_t self:tcp_socket create_stream_socket_perms;
 
 allow auditd_t auditd_etc_t:dir list_dir_perms;
@@ -215,9 +216,9 @@ optional_policy(`
 # audit dispatcher local policy
 #
 
-allow audisp_t self:capability sys_nice;
-allow audisp_t self:process setsched;
-allow audisp_t self:fifo_file rw_file_perms;
+allow audisp_t self:capability { dac_override setpcap sys_nice };
+allow audisp_t self:process { getcap signal_perms setcap setsched };
+allow audisp_t self:fifo_file rw_fifo_file_perms;
 allow audisp_t self:unix_stream_socket create_stream_socket_perms;
 allow audisp_t self:unix_dgram_socket create_socket_perms;
 
@@ -226,11 +227,13 @@ allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
 
-corecmd_search_bin(audisp_t)
+corecmd_exec_bin(audisp_t)
+corecmd_exec_shell(audisp_t)
 
 domain_use_interactive_fds(audisp_t)
 
 files_read_etc_files(audisp_t)
+files_read_etc_runtime_files(audisp_t)
 
 mls_file_write_all_levels(audisp_t)
 
@@ -240,6 +243,10 @@ miscfiles_read_localization(audisp_t)
 
 sysnet_dns_name_resolve(audisp_t)
 
+optional_policy(`
+	dbus_system_bus_client(audisp_t)
+')
+
 ########################################
 #
 # Audit remote logger local policy
@@ -251,6 +258,9 @@ corenet_all_recvfrom_unlabeled(audisp_remote_t)
 corenet_all_recvfrom_netlabel(audisp_remote_t)
 corenet_tcp_sendrecv_generic_if(audisp_remote_t)
 corenet_tcp_sendrecv_generic_node(audisp_remote_t)
+corenet_tcp_sendrecv_all_ports(audisp_remote_t)
+corenet_tcp_bind_audit_port(audisp_remote_t)
+corenet_tcp_bind_generic_node(audisp_remote_t)
 corenet_tcp_connect_audit_port(audisp_remote_t)
 corenet_sendrecv_audit_client_packets(audisp_remote_t)
 
@@ -332,13 +342,12 @@ optional_policy(`
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
-# setrlimit for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit };
+allow syslogd_t self:process { signal_perms setpgid };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 allow syslogd_t self:unix_dgram_socket sendto;
-allow syslogd_t self:fifo_file rw_file_perms;
+allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
 
@@ -462,10 +471,18 @@ ifdef(`distro_ubuntu',`
 ')
 
 optional_policy(`
+	bind_search_cache(syslogd_t)
+')
+
+optional_policy(`
 	inn_manage_log(syslogd_t)
 ')
 
 optional_policy(`
+	mysql_stream_connect(syslogd_t)
+')
+
+optional_policy(`
 	postgresql_stream_connect(syslogd_t)
 ')

More information about the scm-commits mailing list