The directory /etc/rsyslog.d is used by rsyslog for drop-in configuration files (referenced by the default /etc/rsyslog.conf). Label as syslog_conf_t to match /etc/rsyslog.conf labeling.
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.te | 1 +
2 files changed, 2 insertions(+)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 0d8a4173..b8df5fe7 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,6 +2,7 @@
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 5eeaece1..7d0a71d2 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
--
2.13.5
On 09/07/2017 10:47 AM, David Sugar via refpolicy wrote:
> The directory /etc/rsyslog.d is used by rsyslog for drop-in configuration files (referenced by the default /etc/rsyslog.conf). Label as syslog_conf_t to match /etc/rsyslog.conf labeling.
>
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/logging.fc | 1 +
> policy/modules/system/logging.te | 1 +
> 2 files changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index 0d8a4173..b8df5fe7 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -2,6 +2,7 @@
>
> /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
> /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 5eeaece1..7d0a71d2 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
> allow syslogd_t self:tcp_socket create_stream_socket_perms;
>
> allow syslogd_t syslog_conf_t:file read_file_perms;
> +allow syslogd_t syslog_conf_t:dir list_dir_perms;
>
> # Create and bind to /dev/log or /var/run/log.
> allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
I'm not clear why this is needed when the directory would be etc_t
otherwise, which syslog can already list.
--
Chris PeBenito
> -----Original Message-----
> From: Chris PeBenito [mailto:pebenito at ieee.org]
> Sent: Friday, September 08, 2017 11:48 AM
> To: David Sugar; refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] [PATCH 1/1] Label /etc/rsyslog.d
>
> On 09/07/2017 10:47 AM, David Sugar via refpolicy wrote:
> > The directory /etc/rsyslog.d is used by rsyslog for drop-in
> configuration files (referenced by the default /etc/rsyslog.conf).
> Label as syslog_conf_t to match /etc/rsyslog.conf labeling.
> >
> >
> > Signed-off-by: Dave Sugar <[email protected]>
> > ---
> > policy/modules/system/logging.fc | 1 +
> > policy/modules/system/logging.te | 1 +
> > 2 files changed, 2 insertions(+)
> >
> > diff --git a/policy/modules/system/logging.fc
> > b/policy/modules/system/logging.fc
> > index 0d8a4173..b8df5fe7 100644
> > --- a/policy/modules/system/logging.fc
> > +++ b/policy/modules/system/logging.fc
> > @@ -2,6 +2,7 @@
> >
> > /etc/rsyslog.conf
> gen_context(system_u:object_r:syslog_conf_t,s0)
> > /etc/syslog.conf
> gen_context(system_u:object_r:syslog_conf_t,s0)
> > +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
> > /etc/audit(/.*)?
> gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> > /etc/rc\.d/init\.d/auditd --
> gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> > /etc/rc\.d/init\.d/rsyslog --
> gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
> > diff --git a/policy/modules/system/logging.te
> > b/policy/modules/system/logging.te
> > index 5eeaece1..7d0a71d2 100644
> > --- a/policy/modules/system/logging.te
> > +++ b/policy/modules/system/logging.te
> > @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket
> create_socket_perms;
> > allow syslogd_t self:tcp_socket create_stream_socket_perms;
> >
> > allow syslogd_t syslog_conf_t:file read_file_perms;
> > +allow syslogd_t syslog_conf_t:dir list_dir_perms;
> >
> > # Create and bind to /dev/log or /var/run/log.
> > allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
>
> I'm not clear why this is needed when the directory would be etc_t
> otherwise, which syslog can already list.
>
Good point, I didn't make that clear in the text. A domain that has access to edit/create files of syslog_conf_t would not be able to edit files in /etc/rsyslog.d/ as they are etc_t (as you pointed out). And granting permission to edit etc_t files seems like a bit too much access. The change to the .fc file labels the directory (and contained files) syslog_conf_t so all the syslog config files have the same type. The change to the .if file to grant access to directory list permission was needed by rsyslog as it was (I assume) enumerating files in the directory.
I also have a change (which I planned to submit separately) also in logging.if the interface logging_admin_syslog to add a filename to the 'files_etc_filetrans'. I was having a problem with a process that was creating files in an etc_t directory (that are not syslog config files) getting labeled syslog_conf_t. Maybe these two changes really are related and should be one patch.
Dave Sugar
> --
> Chris PeBenito
On 09/08/2017 12:10 PM, David Sugar via refpolicy wrote:
>
>
>> -----Original Message-----
>> From: Chris PeBenito [mailto:pebenito at ieee.org]
>> Sent: Friday, September 08, 2017 11:48 AM
>> To: David Sugar; refpolicy at oss.tresys.com
>> Subject: Re: [refpolicy] [PATCH 1/1] Label /etc/rsyslog.d
>>
>> On 09/07/2017 10:47 AM, David Sugar via refpolicy wrote:
>>> The directory /etc/rsyslog.d is used by rsyslog for drop-in
>> configuration files (referenced by the default /etc/rsyslog.conf).
>> Label as syslog_conf_t to match /etc/rsyslog.conf labeling.
>>>
>>>
>>> Signed-off-by: Dave Sugar <[email protected]>
>>> ---
>>> policy/modules/system/logging.fc | 1 +
>>> policy/modules/system/logging.te | 1 +
>>> 2 files changed, 2 insertions(+)
>>>
>>> diff --git a/policy/modules/system/logging.fc
>>> b/policy/modules/system/logging.fc
>>> index 0d8a4173..b8df5fe7 100644
>>> --- a/policy/modules/system/logging.fc
>>> +++ b/policy/modules/system/logging.fc
>>> @@ -2,6 +2,7 @@
>>>
>>> /etc/rsyslog.conf
>> gen_context(system_u:object_r:syslog_conf_t,s0)
>>> /etc/syslog.conf
>> gen_context(system_u:object_r:syslog_conf_t,s0)
>>> +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
>>> /etc/audit(/.*)?
>> gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
>>> /etc/rc\.d/init\.d/auditd --
>> gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
>>> /etc/rc\.d/init\.d/rsyslog --
>> gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
>>> diff --git a/policy/modules/system/logging.te
>>> b/policy/modules/system/logging.te
>>> index 5eeaece1..7d0a71d2 100644
>>> --- a/policy/modules/system/logging.te
>>> +++ b/policy/modules/system/logging.te
>>> @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket
>> create_socket_perms;
>>> allow syslogd_t self:tcp_socket create_stream_socket_perms;
>>>
>>> allow syslogd_t syslog_conf_t:file read_file_perms;
>>> +allow syslogd_t syslog_conf_t:dir list_dir_perms;
>>>
>>> # Create and bind to /dev/log or /var/run/log.
>>> allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
>>
>> I'm not clear why this is needed when the directory would be etc_t
>> otherwise, which syslog can already list.
>>
>
> Good point, I didn't make that clear in the text. A domain that has access to edit/create files of syslog_conf_t would not be able to edit files in /etc/rsyslog.d/ as they are etc_t (as you pointed out). And granting permission to edit etc_t files seems like a bit too much access. The change to the .fc file labels the directory (and contained files) syslog_conf_t so all the syslog config files have the same type. The change to the .if file to grant access to directory list permission was needed by rsyslog as it was (I assume) enumerating files in the directory.
>
> I also have a change (which I planned to submit separately) also in logging.if the interface logging_admin_syslog to add a filename to the 'files_etc_filetrans'. I was having a problem with a process that was creating files in an etc_t directory (that are not syslog config files) getting labeled syslog_conf_t. Maybe these two changes really are related and should be one patch.
I'd prefer to see them paired, to evaluate it as a whole.
--
Chris PeBenito