[selinux-policy: 2688/3172] logrotate patch from Dan Walsh
Daniel J Walsh
dwalsh at fedoraproject.org
Thu Oct 7 22:59:01 UTC 2010
commit b8c9879a8cd2e2e41b41d5186dad2f9c30fd1a57
Author: Jeremy Solt <jsolt at tresys.com>
Date: Mon May 24 10:26:31 2010 -0400
logrotate patch from Dan Walsh
policy/modules/admin/logrotate.te | 42 ++++++++++++++++++++++++++++++++++--
1 files changed, 39 insertions(+), 3 deletions(-)
---
diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te
index 2648a1f..64ff7c5 100644
--- a/policy/modules/admin/logrotate.te
+++ b/policy/modules/admin/logrotate.te
@@ -32,7 +32,7 @@ files_type(logrotate_var_lib_t)
# Change ownership on log files.
allow logrotate_t self:capability { chown dac_override dac_read_search kill fsetid fowner sys_resource sys_nice };
# for mailx
-dontaudit logrotate_t self:capability { setuid setgid };
+dontaudit logrotate_t self:capability { setuid setgid sys_ptrace };
allow logrotate_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
@@ -63,6 +63,7 @@ files_tmp_filetrans(logrotate_t, logrotate_tmp_t, { file dir })
create_dirs_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
manage_files_pattern(logrotate_t, logrotate_var_lib_t, logrotate_var_lib_t)
files_var_lib_filetrans(logrotate_t, logrotate_var_lib_t, file)
+files_read_var_lib_files(logrotate_t)
kernel_read_system_state(logrotate_t)
kernel_read_kernel_sysctls(logrotate_t)
@@ -108,6 +109,7 @@ init_domtrans_script(logrotate_t)
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
+logging_send_audit_msgs(logrotate_t)
# cjp: why is this needed?
logging_exec_all_logs(logrotate_t)
@@ -116,7 +118,7 @@ miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
userdom_use_user_terminals(logrotate_t)
-userdom_dontaudit_search_user_home_dirs(logrotate_t)
+userdom_list_user_home_dirs(logrotate_t)
userdom_use_unpriv_users_fds(logrotate_t)
cron_system_entry(logrotate_t, logrotate_exec_t)
@@ -137,6 +139,10 @@ ifdef(`distro_debian', `
')
optional_policy(`
+ abrt_cache_manage(logrotate_t)
+')
+
+optional_policy(`
acct_domtrans(logrotate_t)
acct_manage_data(logrotate_t)
acct_exec_data(logrotate_t)
@@ -149,6 +155,14 @@ optional_policy(`
')
optional_policy(`
+ asterisk_domtrans(logrotate_t)
+')
+
+optional_policy(`
+ bind_manage_cache(logrotate_t)
+')
+
+optional_policy(`
consoletype_exec(logrotate_t)
')
@@ -157,11 +171,15 @@ optional_policy(`
')
optional_policy(`
+ fail2ban_stream_connect(logrotate_t)
+')
+
+optional_policy(`
hostname_exec(logrotate_t)
')
optional_policy(`
- samba_exec_log(logrotate_t)
+ icecast_signal(logrotate_t)
')
optional_policy(`
@@ -183,6 +201,19 @@ optional_policy(`
')
optional_policy(`
+ psad_domtrans(logrotate_t)
+')
+
+
+optional_policy(`
+ samba_exec_log(logrotate_t)
+')
+
+optional_policy(`
+ sssd_domtrans(logrotate_t)
+')
+
+optional_policy(`
slrnpull_manage_spool(logrotate_t)
')
@@ -191,5 +222,10 @@ optional_policy(`
')
optional_policy(`
+ #Red Hat bug 564565
+ su_exec(logrotate_t)
+')
+
+optional_policy(`
varnishd_manage_log(logrotate_t)
')
More information about the scm-commits
mailing list