This is a minor update of the last attempt at this patch.
Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t.
The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files.
Dave Sugar
dsugar at tresys.com
Signed-off-by: Dave Sugar <[email protected]>
---
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.if | 3 ++-
policy/modules/system/logging.te | 1 +
3 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 0d8a4173..b8df5fe7 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -2,6 +2,7 @@
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 8633dfc4..90be7596 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1250,7 +1250,8 @@ interface(`logging_admin_syslog',`
manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
- files_etc_filetrans($1, syslog_conf_t, file)
+ files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
+ files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 5eeaece1..7d0a71d2 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
allow syslogd_t self:tcp_socket create_stream_socket_perms;
allow syslogd_t syslog_conf_t:file read_file_perms;
+allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
--
2.13.5
On 09/08/2017 10:30 PM, David Sugar via refpolicy wrote:
> This is a minor update of the last attempt at this patch.
>
> Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t.
>
> The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files.
>
> Dave Sugar
> dsugar at tresys.com
>
> Signed-off-by: Dave Sugar <[email protected]>
> ---
> policy/modules/system/logging.fc | 1 +
> policy/modules/system/logging.if | 3 ++-
> policy/modules/system/logging.te | 1 +
> 3 files changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index 0d8a4173..b8df5fe7 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -2,6 +2,7 @@
>
> /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
> /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
> /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
> /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
> diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
> index 8633dfc4..90be7596 100644
> --- a/policy/modules/system/logging.if
> +++ b/policy/modules/system/logging.if
> @@ -1250,7 +1250,8 @@ interface(`logging_admin_syslog',`
>
> manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t)
> manage_files_pattern($1, syslog_conf_t, syslog_conf_t)
> - files_etc_filetrans($1, syslog_conf_t, file)
> + files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf")
> + files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf")
>
> manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
> manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t)
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 5eeaece1..7d0a71d2 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
> allow syslogd_t self:tcp_socket create_stream_socket_perms;
>
> allow syslogd_t syslog_conf_t:file read_file_perms;
> +allow syslogd_t syslog_conf_t:dir list_dir_perms;
>
> # Create and bind to /dev/log or /var/run/log.
> allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
Merged.
--
Chris PeBenito