This patchset contains a few smaller updates on the SELinux policies.
Changes since v1
----------------
- Drop ifdef in file context (not needed)
- Remove redundant call to files_rw_var_lib_dirs()
- Drop udev changes
Sven Vermeulen (4):
Puppet uses mount output for verification
Allow syslogd to create /var/lib/syslog and
/var/lib/misc/syslog-ng.persist
Gentoo's openrc does not require initrc_exec_t for runscripts anymore
Allow init scripts to read courier configuration
policy/modules/system/init.fc | 4 ----
policy/modules/system/init.te | 4 ++++
policy/modules/system/logging.fc | 2 ++
policy/modules/system/logging.te | 1 +
policy/modules/system/mount.te | 4 ++++
5 files changed, 11 insertions(+), 4 deletions(-)
--
1.7.8.6
Puppet calls mount to obtain the list of mounted file systems, redirecting its
output to a temporary file (labeled puppet_tmp_t). This allows the mount domain
to write to this resource.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/mount.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 63931f6..4175ff7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -193,6 +193,10 @@ optional_policy(`
')
')
+optional_policy(`
+ puppet_rw_tmp(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
--
1.7.8.6
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.
Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.
Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/logging.fc | 2 ++
policy/modules/system/logging.te | 1 +
2 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 02f4c97..f5b3f34 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -24,6 +24,7 @@
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -32,6 +33,7 @@ ifdef(`distro_suse', `
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
+
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0034021..2eca67c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -439,6 +439,7 @@ files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)
+files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
--
1.7.8.6
The Gentoo-specific runscripts in /sbin should not be marked as initrc_exec_t
anymore (just bin_t).
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.fc | 4 ----
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 03e27db..9a4d3a7 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -35,10 +35,6 @@ ifdef(`distro_gentoo', `
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
-/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
#
--
1.7.8.6
The courier-imap and courier-pop3 daemons are started by sourcing their
configuration files, and then invoking the daemons using the proper options. If
this is done through a specialized script, then init only needs to call this
script (where a proper transition occurs) but if the init script itself does
this, it needs to be able to read the configuration files.
Signed-off-by: Sven Vermeulen <[email protected]>
---
policy/modules/system/init.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0a7eda5..32dd043 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -613,6 +613,10 @@ optional_policy(`
')
optional_policy(`
+ courier_read_config(initrc_t)
+')
+
+optional_policy(`
cpucontrol_stub(initrc_t)
dev_getattr_cpu_dev(initrc_t)
')
--
1.7.8.6
On Thu, 2012-09-06 at 19:35 +0200, Sven Vermeulen wrote:
> If the /var/lib/syslog directory does not exist, then syslog-ng (running in
> syslogd_t) will attempt to create the directory.
> +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
Why file trans on a file?
On Thu, Sep 06, 2012 at 08:47:18PM +0200, Dominick Grift wrote:
> On Thu, 2012-09-06 at 19:35 +0200, Sven Vermeulen wrote:
> > If the /var/lib/syslog directory does not exist, then syslog-ng (running in
> > syslogd_t) will attempt to create the directory.
>
> > +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
>
> Why file trans on a file?
You asked that the previous time as well (at least you're consistent ;-) and
I hoped a bit that the commit information (and the mail reply) was
sufficient.
The file transition is for /var/lib/misc/syslog-ng.persist (and
/var/lib/misc/syslog-ng.persist-) as the /var/lib/misc location itself is
still var_lib_t.
Wkr,
Sven Vermeulen
On Thu, 2012-09-06 at 21:15 +0200, Sven Vermeulen wrote:
> On Thu, Sep 06, 2012 at 08:47:18PM +0200, Dominick Grift wrote:
> > On Thu, 2012-09-06 at 19:35 +0200, Sven Vermeulen wrote:
> > > If the /var/lib/syslog directory does not exist, then syslog-ng (running in
> > > syslogd_t) will attempt to create the directory.
> >
> > > +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
> >
> > Why file trans on a file?
>
> You asked that the previous time as well (at least you're consistent ;-) and
> I hoped a bit that the commit information (and the mail reply) was
> sufficient.
>
> The file transition is for /var/lib/misc/syslog-ng.persist (and
> /var/lib/misc/syslog-ng.persist-) as the /var/lib/misc location itself is
> still var_lib_t.
ok, that explains it. It was just a question :)
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/06/2012 03:15 PM, Sven Vermeulen wrote:
> On Thu, Sep 06, 2012 at 08:47:18PM +0200, Dominick Grift wrote:
>> On Thu, 2012-09-06 at 19:35 +0200, Sven Vermeulen wrote:
>>> If the /var/lib/syslog directory does not exist, then syslog-ng
>>> (running in syslogd_t) will attempt to create the directory.
>>
>>> +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
>>
>> Why file trans on a file?
>
> You asked that the previous time as well (at least you're consistent ;-)
> and I hoped a bit that the commit information (and the mail reply) was
> sufficient.
>
> The file transition is for /var/lib/misc/syslog-ng.persist (and
> /var/lib/misc/syslog-ng.persist-) as the /var/lib/misc location itself is
> still var_lib_t.
>
> Wkr, Sven Vermeulen _______________________________________________
> refpolicy mailing list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
/var/lib/misc should just die a horrible death. /var/lib itself is misc.
syslog should store its content under /var/lib/syslog.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBI+2YACgkQrlYvE4MpobOWeACcCXEHPxEf97w4i3MbYw+yb5aw
q3IAoNeTPB6MFENf0kOtlAbk3LXQCoox
=40Ns
-----END PGP SIGNATURE-----
On 09/06/12 13:35, Sven Vermeulen wrote:
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index 02f4c97..f5b3f34 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -32,6 +33,7 @@ ifdef(`distro_suse', `
> /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
> ')
>
> +
> /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
Unnecessary whitespace change.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com