This set is to support changes on the contrib module (which will be sent out
later), mainly introducing two interfaces needed by fail2ban-client (fail2ban
module) and adding the sys_admin capability to ifconfig_t for flushing routing
cache.
Sven Vermeulen (3):
Introduce logging_getattr_all_logs interface
Introduce logging_search_all_log_dirs interface
Support flushing routing cache
policy/modules/system/logging.if | 39 ++++++++++++++++++++++++++++++++++-
policy/modules/system/sysnetwork.te | 2 +-
2 files changed, 39 insertions(+), 2 deletions(-)
--
1.7.8.6
Support the logging_getattr_all_logs interface, which will be used by
applications responsible for reviewing the state of log files (without needing
to read them), such as the fail2ban-client application.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/logging.if | 20 +++++++++++++++++++-
1 files changed, 19 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 321bb13..be20dca 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -705,7 +705,7 @@ interface(`logging_setattr_all_log_dirs',`
########################################
## <summary>
-## Do not audit attempts to get the atttributes
+## Do not audit attempts to get the attributes
## of any log files.
## </summary>
## <param name="domain">
@@ -724,6 +724,24 @@ interface(`logging_dontaudit_getattr_all_logs',`
########################################
## <summary>
+## Read the atttributes of any log file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`logging_getattr_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file getattr;
+')
+
+########################################
+## <summary>
## Append to all log files.
## </summary>
## <param name="domain">
--
1.7.8.6
Support the logging_search_all_log_dirs interface for applications such as
fail2ban-client, who scan through log directories.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/logging.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index be20dca..6957993 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -686,6 +686,25 @@ interface(`logging_rw_generic_log_dirs',`
#######################################
## <summary>
+## Search through all log dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_search_all_log_dirs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
## Set attributes on all log dirs.
## </summary>
## <param name="domain">
--
1.7.8.6
To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:
~# ip route flush cache
Cannot flush routing cache
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/sysnetwork.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index d11e7c5..b2bf762 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -243,7 +243,7 @@ optional_policy(`
# Ifconfig local policy
#
-allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
--
1.7.8.6
On 10/19/12 14:51, Sven Vermeulen wrote:
> This set is to support changes on the contrib module (which will be sent out
> later), mainly introducing two interfaces needed by fail2ban-client (fail2ban
> module) and adding the sys_admin capability to ifconfig_t for flushing routing
> cache.
>
> Sven Vermeulen (3):
> Introduce logging_getattr_all_logs interface
> Introduce logging_search_all_log_dirs interface
> Support flushing routing cache
>
> policy/modules/system/logging.if | 39 ++++++++++++++++++++++++++++++++++-
> policy/modules/system/sysnetwork.te | 2 +-
> 2 files changed, 39 insertions(+), 2 deletions(-)
This set merged. I renamed the second interface.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com