From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Wed, 23 Jan 2013 07:28:04 -0500 Subject: [refpolicy] [PATCH 06/13] Add support for rsyslog In-Reply-To: <1358026351-12955-7-git-send-email-bigon@debian.org> References: <1358026351-12955-1-git-send-email-bigon@debian.org> <1358026351-12955-7-git-send-email-bigon@debian.org> Message-ID: <50FFD754.1000209@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 01/12/13 16:32, Laurent Bigonville wrote: > From: Laurent Bigonville > > Allow sys_nice capability, setsched, allow to search in /var/spool and > syslog_t domain to read network state files in /proc > > squash! Add support for rsyslog Merged. > --- > policy/modules/system/logging.te | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te > index 39ea221..b642262 100644 > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -353,13 +353,15 @@ optional_policy(` > > # chown fsetid for syslog-ng > # sys_admin for the integrated klog of syslog-ng and metalog > +# sys_nice for rsyslog > # cjp: why net_admin! > -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid }; > +allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; > dontaudit syslogd_t self:capability sys_tty_config; > # setpgid for metalog > # setrlimit for syslog-ng > # getsched for syslog-ng > -allow syslogd_t self:process { signal_perms setpgid setrlimit getsched }; > +# setsched for rsyslog > +allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched }; > # receive messages to be logged > allow syslogd_t self:unix_dgram_socket create_socket_perms; > allow syslogd_t self:unix_stream_socket create_stream_socket_perms; > @@ -377,6 +379,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file) > # create/append log files. > manage_files_pattern(syslogd_t, var_log_t, var_log_t) > rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) > +files_search_spool(syslogd_t) > > # Allow access for syslog-ng > allow syslogd_t var_log_t:dir { create setattr }; > @@ -394,6 +397,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) > files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) > > kernel_read_system_state(syslogd_t) > +kernel_read_network_state(syslogd_t) > kernel_read_kernel_sysctls(syslogd_t) > kernel_read_proc_symlinks(syslogd_t) > # Allow access to /proc/kmsg for syslog-ng > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com