2017-04-14 15:58:11

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd init

This patch lets mandb_t search init_var_run_t dirs which it needs when running
with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
pointless to put that in a separate patch.

Allow init_t to do several things that it requires when init is systemd.

Allow various operations on var_log_t to access var_log_t symlinks too.

Let auditd setattr it's directory.

Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
+++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
@@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr

kernel_read_kernel_sysctls(mandb_t)
kernel_read_system_state(mandb_t)
+fs_getattr_xattr_fs(mandb_t)

corecmd_exec_bin(mandb_t)
corecmd_exec_shell(mandb_t)
@@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)

userdom_use_inherited_user_terminals(mandb_t)

+ifdef(`init_systemd',`
+ init_search_run(mandb_t)
+')
+
optional_policy(`
cron_system_entry(mandb_t, mandb_exec_t)
')
Index: refpolicy-2.20170410/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/init.te
+++ refpolicy-2.20170410/policy/modules/system/init.te
@@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
corecmd_exec_bin(init_t)

dev_read_sysfs(init_t)
+logging_create_devlog_dev(init_t)
# Early devtmpfs
dev_rw_generic_chr_files(init_t)

@@ -316,6 +317,8 @@ ifdef(`init_systemd',`

seutil_read_file_contexts(init_t)

+ systemd_manage_lnk_file_passwd_run(init_t)
+
# udevd is a "systemd kobject uevent socket activated daemon"
udev_create_kobject_uevent_sockets(init_t)

@@ -402,7 +405,7 @@ optional_policy(`

allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
allow initrc_t self:capability ~{ sys_admin sys_module };
-allow initrc_t self:capability2 block_suspend;
+allow initrc_t self:capability2 { wake_alarm block_suspend };
dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
allow initrc_t self:passwd rootok;
allow initrc_t self:key manage_key_perms;
@@ -830,6 +833,7 @@ ifdef(`init_systemd',`
allow init_t self:process { getcap setcap };
allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
+ allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
# Until systemd is fixed
allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
allow init_t self:udp_socket create_socket_perms;
Index: refpolicy-2.20170410/policy/modules/system/logging.if
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/logging.if
+++ refpolicy-2.20170410/policy/modules/system/logging.if
@@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`

files_search_var($1)
filetrans_pattern($1, var_log_t, $2, $3, $4)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')

########################################
@@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock

########################################
## <summary>
+## Connect to the syslog control unix stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_create_devlog_dev',`
+ gen_require(`
+ type devlog_t;
+ ')
+
+ allow $1 devlog_t:sock_file manage_sock_file_perms;
+ dev_filetrans($1, devlog_t, sock_file)
+ init_pid_filetrans($1, devlog_t, sock_file, "syslog")
+')
+
+########################################
+## <summary>
## Read the auditd configuration files.
## </summary>
## <param name="domain">
@@ -742,6 +763,7 @@ interface(`logging_search_logs',`

files_search_var($1)
allow $1 var_log_t:dir search_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')

#######################################
@@ -779,6 +801,7 @@ interface(`logging_list_logs',`

files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')

#######################################
@@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',

files_search_var($1)
allow $1 var_log_t:dir rw_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')

#######################################
@@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`

files_search_var($1)
append_files_pattern($1, var_log_t, logfile)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')

########################################
@@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
write_files_pattern($1, var_log_t, var_log_t)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')

########################################
@@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
rw_files_pattern($1, var_log_t, var_log_t)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')

########################################
Index: refpolicy-2.20170410/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20170410.orig/policy/modules/system/logging.te
+++ refpolicy-2.20170410/policy/modules/system/logging.te
@@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+allow auditd_t auditd_log_t:dir setattr;
allow auditd_t var_log_t:dir search_dir_perms;

manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)


2017-04-14 16:13:10

by Dac Override

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd init

On Sat, Apr 15, 2017 at 01:58:11AM +1000, Russell Coker via refpolicy wrote:
> This patch lets mandb_t search init_var_run_t dirs which it needs when running
> with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
> pointless to put that in a separate patch.
>
> Allow init_t to do several things that it requires when init is systemd.
>
> Allow various operations on var_log_t to access var_log_t symlinks too.
>
> Let auditd setattr it's directory.
>
> Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
> +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
> @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
>
> kernel_read_kernel_sysctls(mandb_t)
> kernel_read_system_state(mandb_t)
> +fs_getattr_xattr_fs(mandb_t)
>
> corecmd_exec_bin(mandb_t)
> corecmd_exec_shell(mandb_t)
> @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
>
> userdom_use_inherited_user_terminals(mandb_t)
>
> +ifdef(`init_systemd',`
> + init_search_run(mandb_t)
> +')
> +
> optional_policy(`
> cron_system_entry(mandb_t, mandb_exec_t)
> ')
> Index: refpolicy-2.20170410/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170410/policy/modules/system/init.te
> @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> dev_read_sysfs(init_t)
> +logging_create_devlog_dev(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>
> @@ -316,6 +317,8 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> + systemd_manage_lnk_file_passwd_run(init_t)
> +
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> @@ -402,7 +405,7 @@ optional_policy(`
>
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> -allow initrc_t self:capability2 block_suspend;
> +allow initrc_t self:capability2 { wake_alarm block_suspend };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
> allow initrc_t self:passwd rootok;
> allow initrc_t self:key manage_key_perms;
> @@ -830,6 +833,7 @@ ifdef(`init_systemd',`
> allow init_t self:process { getcap setcap };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> Index: refpolicy-2.20170410/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170410/policy/modules/system/logging.if
> @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
>
> files_search_var($1)
> filetrans_pattern($1, var_log_t, $2, $3, $4)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
>
> ########################################
> ## <summary>
> +## Connect to the syslog control unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_create_devlog_dev',`
> + gen_require(`
> + type devlog_t;
> + ')
> +
> + allow $1 devlog_t:sock_file manage_sock_file_perms;
> + dev_filetrans($1, devlog_t, sock_file)
> + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
> +')
> +
> +########################################
> +## <summary>
> ## Read the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> @@ -742,6 +763,7 @@ interface(`logging_search_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir search_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -779,6 +801,7 @@ interface(`logging_list_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
>
> files_search_var($1)
> allow $1 var_log_t:dir rw_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
>
> files_search_var($1)
> append_files_pattern($1, var_log_t, logfile)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> write_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> rw_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20170410/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170410/policy/modules/system/logging.te
> @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
> manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> allow auditd_t auditd_log_t:dir setattr;
> manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> +allow auditd_t auditd_log_t:dir setattr;

looks duplicate to me

> allow auditd_t var_log_t:dir search_dir_perms;
>
> manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170414/feba9657/attachment-0001.bin

2017-04-14 17:33:03

by Christian Göttsche

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd init

2017-04-14 17:58 GMT+02:00 Russell Coker via refpolicy
<[email protected]>:
> This patch lets mandb_t search init_var_run_t dirs which it needs when running
> with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
> pointless to put that in a separate patch.
>
> Allow init_t to do several things that it requires when init is systemd.
>
> Allow various operations on var_log_t to access var_log_t symlinks too.
>
> Let auditd setattr it's directory.
>
> Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
> +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
> @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
>
> kernel_read_kernel_sysctls(mandb_t)
> kernel_read_system_state(mandb_t)
> +fs_getattr_xattr_fs(mandb_t)

seems to be a dublicate for me
https://github.com/TresysTechnology/refpolicy-contrib/blob/master/mandb.te#L46

>
> corecmd_exec_bin(mandb_t)
> corecmd_exec_shell(mandb_t)
> @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
>
> userdom_use_inherited_user_terminals(mandb_t)
>
> +ifdef(`init_systemd',`
> + init_search_run(mandb_t)
> +')

one question about this:
I saw this once on my systems, but it was caused by the cron script
checking for systemd presence
(https://sources.debian.net/src/man-db/2.7.6.1-2/debian/cron.daily/#L20)
After the label change of the cron script file to bin_t, it
disappeared (https://github.com/TresysTechnology/refpolicy-contrib/commit/563c9eee33e9c7f47d0c61f35005d8a9d6ac46d6#diff-0d233c2fa4a6b85be493bceaf52eab01).

> +
> optional_policy(`
> cron_system_entry(mandb_t, mandb_exec_t)
> ')
> Index: refpolicy-2.20170410/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170410/policy/modules/system/init.te
> @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> dev_read_sysfs(init_t)
> +logging_create_devlog_dev(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>
> @@ -316,6 +317,8 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> + systemd_manage_lnk_file_passwd_run(init_t)
> +
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> @@ -402,7 +405,7 @@ optional_policy(`
>
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> -allow initrc_t self:capability2 block_suspend;
> +allow initrc_t self:capability2 { wake_alarm block_suspend };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
> allow initrc_t self:passwd rootok;
> allow initrc_t self:key manage_key_perms;
> @@ -830,6 +833,7 @@ ifdef(`init_systemd',`
> allow init_t self:process { getcap setcap };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> Index: refpolicy-2.20170410/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170410/policy/modules/system/logging.if
> @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
>
> files_search_var($1)
> filetrans_pattern($1, var_log_t, $2, $3, $4)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
>
> ########################################
> ## <summary>
> +## Connect to the syslog control unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_create_devlog_dev',`
> + gen_require(`
> + type devlog_t;
> + ')
> +
> + allow $1 devlog_t:sock_file manage_sock_file_perms;
> + dev_filetrans($1, devlog_t, sock_file)
> + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
> +')
> +
> +########################################
> +## <summary>
> ## Read the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> @@ -742,6 +763,7 @@ interface(`logging_search_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir search_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -779,6 +801,7 @@ interface(`logging_list_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
>
> files_search_var($1)
> allow $1 var_log_t:dir rw_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
>
> files_search_var($1)
> append_files_pattern($1, var_log_t, logfile)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> write_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> rw_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20170410/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170410/policy/modules/system/logging.te
> @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
> manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> allow auditd_t auditd_log_t:dir setattr;
> manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> +allow auditd_t auditd_log_t:dir setattr;
> allow auditd_t var_log_t:dir search_dir_perms;
>
> manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-16 23:09:30

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] systemd init

On 04/14/2017 11:58 AM, Russell Coker via refpolicy wrote:
> This patch lets mandb_t search init_var_run_t dirs which it needs when running
> with systems. Also allows it to fs_getattr_xattr_fs() because it seemed
> pointless to put that in a separate patch.
>
> Allow init_t to do several things that it requires when init is systemd.
>
> Allow various operations on var_log_t to access var_log_t symlinks too.
>
> Let auditd setattr it's directory.

This is merged except for the duplicate rules noted by the others.


> Index: refpolicy-2.20170410/policy/modules/contrib/mandb.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/contrib/mandb.te
> +++ refpolicy-2.20170410/policy/modules/contrib/mandb.te
> @@ -32,6 +32,7 @@ allow mandb_t self:unix_stream_socket cr
>
> kernel_read_kernel_sysctls(mandb_t)
> kernel_read_system_state(mandb_t)
> +fs_getattr_xattr_fs(mandb_t)
>
> corecmd_exec_bin(mandb_t)
> corecmd_exec_shell(mandb_t)
> @@ -51,6 +52,10 @@ miscfiles_read_localization(mandb_t)
>
> userdom_use_inherited_user_terminals(mandb_t)
>
> +ifdef(`init_systemd',`
> + init_search_run(mandb_t)
> +')
> +
> optional_policy(`
> cron_system_entry(mandb_t, mandb_exec_t)
> ')
> Index: refpolicy-2.20170410/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170410/policy/modules/system/init.te
> @@ -155,6 +155,7 @@ corecmd_exec_chroot(init_t)
> corecmd_exec_bin(init_t)
>
> dev_read_sysfs(init_t)
> +logging_create_devlog_dev(init_t)
> # Early devtmpfs
> dev_rw_generic_chr_files(init_t)
>
> @@ -316,6 +317,8 @@ ifdef(`init_systemd',`
>
> seutil_read_file_contexts(init_t)
>
> + systemd_manage_lnk_file_passwd_run(init_t)
> +
> # udevd is a "systemd kobject uevent socket activated daemon"
> udev_create_kobject_uevent_sockets(init_t)
>
> @@ -402,7 +405,7 @@ optional_policy(`
>
> allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
> allow initrc_t self:capability ~{ sys_admin sys_module };
> -allow initrc_t self:capability2 block_suspend;
> +allow initrc_t self:capability2 { wake_alarm block_suspend };
> dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
> allow initrc_t self:passwd rootok;
> allow initrc_t self:key manage_key_perms;
> @@ -830,6 +833,7 @@ ifdef(`init_systemd',`
> allow init_t self:process { getcap setcap };
> allow init_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> + allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms };
> # Until systemd is fixed
> allow daemon init_t:socket_class_set { getopt read getattr ioctl setopt write };
> allow init_t self:udp_socket create_socket_perms;
> Index: refpolicy-2.20170410/policy/modules/system/logging.if
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.if
> +++ refpolicy-2.20170410/policy/modules/system/logging.if
> @@ -569,6 +569,7 @@ interface(`logging_log_filetrans',`
>
> files_search_var($1)
> filetrans_pattern($1, var_log_t, $2, $3, $4)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -647,6 +648,26 @@ interface(`logging_relabelto_devlog_sock
>
> ########################################
> ## <summary>
> +## Connect to the syslog control unix stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_create_devlog_dev',`
> + gen_require(`
> + type devlog_t;
> + ')
> +
> + allow $1 devlog_t:sock_file manage_sock_file_perms;
> + dev_filetrans($1, devlog_t, sock_file)
> + init_pid_filetrans($1, devlog_t, sock_file, "syslog")
> +')
> +
> +########################################
> +## <summary>
> ## Read the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> @@ -742,6 +763,7 @@ interface(`logging_search_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir search_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -779,6 +801,7 @@ interface(`logging_list_logs',`
>
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -798,6 +821,7 @@ interface(`logging_rw_generic_log_dirs',
>
> files_search_var($1)
> allow $1 var_log_t:dir rw_dir_perms;
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> #######################################
> @@ -893,6 +917,7 @@ interface(`logging_append_all_logs',`
>
> files_search_var($1)
> append_files_pattern($1, var_log_t, logfile)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1075,6 +1100,7 @@ interface(`logging_write_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> write_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> @@ -1113,6 +1139,7 @@ interface(`logging_rw_generic_logs',`
> files_search_var($1)
> allow $1 var_log_t:dir list_dir_perms;
> rw_files_pattern($1, var_log_t, var_log_t)
> + allow $1 var_log_t:lnk_file read_lnk_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20170410/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170410.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170410/policy/modules/system/logging.te
> @@ -154,6 +155,7 @@ allow auditd_t auditd_etc_t:file read_fi
> manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> allow auditd_t auditd_log_t:dir setattr;
> manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
> +allow auditd_t auditd_log_t:dir setattr;
> allow auditd_t var_log_t:dir search_dir_perms;
>
> manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito