Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/services/clamav.if | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 7b6df49e..3639d769 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -19,6 +19,32 @@ interface(`clamav_domtrans',`
domtrans_pattern($1, clamd_exec_t, clamd_t)
')
+########################################
+## <summary>
+## Execute clamd programs in the clamd
+## domain and allow the specified role
+## the clamd domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to transition.
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_run',`
+ gen_require(`
+ type clamd_t;
+ ')
+
+ clamav_domtrans($1)
+ role $2 types clamd_t;
+')
+
########################################
## <summary>
## Connect to clamd using a unix
--
2.20.1
When using 'systemctl status <service>' it will show recent
log entries for the selected service. These recent log
entries are coming from the journal. These rules allow the
reading of the journal files.
type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/systemd.if | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 740b3a92..c6d40b10 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -409,6 +409,24 @@ interface(`systemd_manage_journal_files',`
allow $1 systemd_journal_t:file map;
')
+########################################
+## <summary>
+## Allow domain to read systemd_journal_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_journal_files',`
+ gen_require(`
+ type systemd_journal_t;
+ ')
+
+ list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+ mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
+')
########################################
## <summary>
--
2.20.1
On 1/19/19 11:19 AM, Sugar, David wrote:
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/services/clamav.if | 26 ++++++++++++++++++++++++++
> 1 file changed, 26 insertions(+)
>
> diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
> index 7b6df49e..3639d769 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -19,6 +19,32 @@ interface(`clamav_domtrans',`
> domtrans_pattern($1, clamd_exec_t, clamd_t)
> ')
>
> +########################################
> +## <summary>
> +## Execute clamd programs in the clamd
> +## domain and allow the specified role
> +## the clamd domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to transition.
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## Role allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_run',`
> + gen_require(`
> + type clamd_t;
> + ')
> +
> + clamav_domtrans($1)
> + role $2 types clamd_t;
> +')
> +
> ########################################
> ## <summary>
> ## Connect to clamd using a unix
Merged.
--
Chris PeBenito
On 1/19/19 11:19 AM, Sugar, David wrote:
> When using 'systemctl status <service>' it will show recent
> log entries for the selected service. These recent log
> entries are coming from the journal. These rules allow the
> reading of the journal files.
>
> type=AVC msg=audit(1547760159.435:864): avc: denied { read } for pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547760159.435:864): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547760159.435:865): avc: denied { getattr } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547760159.435:866): avc: denied { read } for pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547760159.435:866): avc: denied { open } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547760159.436:867): avc: denied { map } for pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/systemd.if | 18 ++++++++++++++++++
> 1 file changed, 18 insertions(+)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 740b3a92..c6d40b10 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -409,6 +409,24 @@ interface(`systemd_manage_journal_files',`
> allow $1 systemd_journal_t:file map;
> ')
>
> +########################################
> +## <summary>
> +## Allow domain to read systemd_journal_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_journal_files',`
> + gen_require(`
> + type systemd_journal_t;
> + ')
> +
> + list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
> + mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
> +')
>
> ########################################
> ## <summary>
Merged.
--
Chris PeBenito