This patchset contains a few smaller updates on the main policy modules. The
first one (syslogger managing cron log files) requires the cron_manage_log
interface to be available in the cron module first (sent earlier as a patch).
Sven Vermeulen (2):
Allow syslogger to manage cron log files
Run ipset in iptables domain
policy/modules/system/iptables.fc | 1 +
policy/modules/system/logging.te | 5 +++++
2 files changed, 6 insertions(+), 0 deletions(-)
--
1.7.8.6
Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/logging.te | 5 +++++
1 files changed, 5 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 72d67ad..091db87 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -490,6 +490,11 @@ optional_policy(`
')
optional_policy(`
+ cron_manage_log(syslogd_t)
+ cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+')
+
+optional_policy(`
inn_manage_log(syslogd_t)
')
--
1.7.8.6
The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/iptables.fc | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 14cffd2..1b93eb7 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -15,6 +15,7 @@
/sbin/xtables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/ipchains.* -- gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipset -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-multi -- gen_context(system_u:object_r:iptables_exec_t,s0)
/usr/sbin/iptables-restore -- gen_context(system_u:object_r:iptables_exec_t,s0)
--
1.7.8.6
On 11/10/12 11:52, Sven Vermeulen wrote:
> This patchset contains a few smaller updates on the main policy modules. The
> first one (syslogger managing cron log files) requires the cron_manage_log
> interface to be available in the cron module first (sent earlier as a patch).
>
> Sven Vermeulen (2):
> Allow syslogger to manage cron log files
> Run ipset in iptables domain
>
> policy/modules/system/iptables.fc | 1 +
> policy/modules/system/logging.te | 5 +++++
> 2 files changed, 6 insertions(+), 0 deletions(-)
This set merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/27/12 08:37, Christopher J. PeBenito wrote:
> On 11/10/12 11:52, Sven Vermeulen wrote:
>> This patchset contains a few smaller updates on the main policy modules. The
>> first one (syslogger managing cron log files) requires the cron_manage_log
>> interface to be available in the cron module first (sent earlier as a patch).
>>
>> Sven Vermeulen (2):
>> Allow syslogger to manage cron log files
>> Run ipset in iptables domain
>>
>> policy/modules/system/iptables.fc | 1 +
>> policy/modules/system/logging.te | 5 +++++
>> 2 files changed, 6 insertions(+), 0 deletions(-)
>
> This set merged.
Hit send too fast; only merged the iptables one. Cron interface doesn't exist for use in logging.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Sat, 2012-11-10 at 17:52 +0100, Sven Vermeulen wrote:
> Some cron daemons, including vixie-cron, support using the system logger for
> handling their logging events. Hence we allow syslogd_t to manage the cron logs,
> and put a file transition in place for the system logger when it creates the
> cron.log file.
>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> policy/modules/system/logging.te | 5 +++++
> 1 files changed, 5 insertions(+), 0 deletions(-)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 72d67ad..091db87 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -490,6 +490,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + cron_manage_log(syslogd_t)
There is a cron_manage_log_files()
> + cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
> +')
> +
> +optional_policy(`
> inn_manage_log(syslogd_t)
> ')
>