Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.1 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 531D4C43387 for ; Wed, 16 Jan 2019 23:19:45 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 220F520652 for ; Wed, 16 Jan 2019 23:19:45 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="Ez87SkCW" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726976AbfAPXTp (ORCPT ); Wed, 16 Jan 2019 18:19:45 -0500 Received: from mail-qt1-f194.google.com ([209.85.160.194]:37835 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727082AbfAPXTo (ORCPT ); Wed, 16 Jan 2019 18:19:44 -0500 Received: by mail-qt1-f194.google.com with SMTP id t33so9322816qtt.4 for ; Wed, 16 Jan 2019 15:19:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=14zXYZmYU5nN243S92oUZ3NqeWSaUxHn5wYnYpWBr9M=; b=Ez87SkCWjDIy2nhqEH27hKns1oifPK04ay4p6Z1XTnjAWxF13y4eVI4Ivg9aN3agTa lSoD8O9fQjjW8pLg7GVoHbUi/Sagfo+3oWzgK7fEof3AUQ1jL0nf+2k3J1LTHsDu+qa+ f3n/69IvKoatZFl/CYnHI7uuNmgSZtktn4Nrs= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=14zXYZmYU5nN243S92oUZ3NqeWSaUxHn5wYnYpWBr9M=; b=EPS4o1Zjh3RvSs4VLgoHbEVfMqEzP/JA3wjRMzR94ia8uZ3ewfw23D7F1l72ODMiVc YjsbCoOlvy7+8OkgG0gFvLaM2mX2AJdVtDA5Gj+MRRp+bMBnE8257SYAyzbm6P07b3g8 TvccL7uqBzt+6vjr9xC1cjep3CyexRZEsPgj95wpe1MGeNGxeoUnJldLRERtYKRKQ6UC WBYQZ8jk1Zzc/cQZsX026egbzmUw1oIK171/vRUyshH8h9qDl+4yCkUWVST+g4pRZgw5 hZoGr4GlGJO7mDGCzMeL3BXVplAdupz6m3tTz2+iCfSTYrN7Wue3tkxPJ47gasx/SwXh pKmw== X-Gm-Message-State: AJcUukdoU26SNmbdNxKqBXXlmwL2Tv6AAcMo5BYo4PCKHBxryWNLC6o0 e6JsL62XUQQfkO+pAg2CYn/rh1+4K4Y= X-Google-Smtp-Source: ALg8bN7dnXyK+wSHwYfc06JfijnF56HawTTeu9+GnbZORfbUH9gNdMrQB95nslI00Do36w6Cc0yK2w== X-Received: by 2002:ac8:2487:: with SMTP id s7mr9151736qts.116.1547680783615; Wed, 16 Jan 2019 15:19:43 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id l73sm64491709qkl.16.2019.01.16.15.19.43 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 16 Jan 2019 15:19:43 -0800 (PST) Subject: Re: [PATCH] label journald configuraiton files syslog_conf_t To: "Sugar, David" , "selinux-refpolicy@vger.kernel.org" References: <20190115032018.28662-1-dsugar@tresys.com> <20190115032018.28662-3-dsugar@tresys.com> From: Chris PeBenito Message-ID: <907e3869-21e4-61e5-f6d9-a935d548a378@ieee.org> Date: Wed, 16 Jan 2019 18:12:29 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190115032018.28662-3-dsugar@tresys.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/14/19 10:20 PM, Sugar, David wrote: > journald already runs as syslogd_t label the config files similarly to > allow editing by domains that can edit syslog configuration files. > Also added some missing '\' before dot in filenames. > > Signed-off-by: Dave Sugar > --- > policy/modules/system/logging.fc | 14 ++++++++------ > 1 file changed, 8 insertions(+), 6 deletions(-) > > diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc > index c579c2d3..6693d87b 100644 > --- a/policy/modules/system/logging.fc > +++ b/policy/modules/system/logging.fc > @@ -1,11 +1,13 @@ > /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) > > -/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) > -/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) > -/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) > -/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) > -/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) > -/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) > +/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) > +/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) > +/etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) > +/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) > +/etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) > +/etc/systemd/journald\.conf\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) > +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) > +/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) > > /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) > /usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) Merged, though preferrably, the whitespace changes would have been a separate patch. -- Chris PeBenito