From: dominick.grift@gmail.com (Dominick Grift) Date: Mon, 29 Oct 2012 20:12:35 +0100 Subject: [refpolicy] [PATCH v2 4/4] Adding interfaces for handling cron log files In-Reply-To: <1351536827-13200-5-git-send-email-sven.vermeulen@siphos.be> References: <1351536827-13200-1-git-send-email-sven.vermeulen@siphos.be> <1351536827-13200-5-git-send-email-sven.vermeulen@siphos.be> Message-ID: <1351537955.4200.6.camel@d30.localdomain> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 2012-10-29 at 19:53 +0100, Sven Vermeulen wrote: > Adding interfaces for a named file transition, create, setattr and write > privileges on cron log files. Will be used for the system logger domain later. > > Signed-off-by: Sven Vermeulen > --- > cron.if | 83 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ > 1 files changed, 83 insertions(+), 0 deletions(-) > > diff --git a/cron.if b/cron.if > index 2981f1f..a1ecb7f 100644 > --- a/cron.if > +++ b/cron.if > @@ -409,6 +409,89 @@ interface(`cron_sigchld',` > > ######################################## > ## > +## Set the attributes of cron log files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cron_setattr_log_files',` > + gen_require(` > + type cron_log_t; > + ') > + > + allow $1 cron_log_t:file setattr_file_perms; > +') > + > +######################################## > +## > +## Create cron log files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cron_create_log_files',` > + gen_require(` > + type cron_log_t; > + ') > + > + create_files_pattern($1, cron_log_t, cron_log_t) > +') > + > +######################################## > +## > +## Write to cron log files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`cron_write_log_files',` > + gen_require(` > + type cron_log_t; > + ') > + > + allow $1 cron_log_t:file write_file_perms; > +') > + > +######################################## > +## > +## Create specified objects in generic > +## log directories with the cron log file type. > +## > +## > +## > +## Domain allowed access. > +## > +## > +## > +## > +## Class of the object being created. > +## > +## > +## > +## > +## The name of the object being created. > +## > +## > +# > +interface(`cron_generic_log_filetrans_log',` > + gen_require(` > + type cron_log_t; > + ') > + > + logging_log_filetrans($1, cron_log_t, $2, $3) > +') > + > +######################################## > +## > ## Read cron daemon unnamed pipes. > ## > ## applied thanks