From: cpebenito@tresys.com (Christopher J. PeBenito)
Date: Wed, 23 Jan 2013 07:28:04 -0500
Subject: [refpolicy] [PATCH 06/13] Add support for rsyslog
In-Reply-To: <1358026351-12955-7-git-send-email-bigon@debian.org>
References: <1358026351-12955-1-git-send-email-bigon@debian.org>
	<1358026351-12955-7-git-send-email-bigon@debian.org>
Message-ID: <50FFD754.1000209@tresys.com>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 01/12/13 16:32, Laurent Bigonville wrote:
> From: Laurent Bigonville <bigon@bigon.be>
> 
> Allow sys_nice capability, setsched, allow to search in /var/spool and
> syslog_t domain to read network state files in /proc
> 
> squash! Add support for rsyslog

Merged.

> ---
>  policy/modules/system/logging.te |    8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 39ea221..b642262 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -353,13 +353,15 @@ optional_policy(`
>  
>  # chown fsetid for syslog-ng
>  # sys_admin for the integrated klog of syslog-ng and metalog
> +# sys_nice for rsyslog
>  # cjp: why net_admin!
> -allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
> +allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
>  dontaudit syslogd_t self:capability sys_tty_config;
>  # setpgid for metalog
>  # setrlimit for syslog-ng
>  # getsched for syslog-ng
> -allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
> +# setsched for rsyslog
> +allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
>  # receive messages to be logged
>  allow syslogd_t self:unix_dgram_socket create_socket_perms;
>  allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
> @@ -377,6 +379,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
>  # create/append log files.
>  manage_files_pattern(syslogd_t, var_log_t, var_log_t)
>  rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
> +files_search_spool(syslogd_t)
>  
>  # Allow access for syslog-ng
>  allow syslogd_t var_log_t:dir { create setattr };
> @@ -394,6 +397,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
>  files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
>  
>  kernel_read_system_state(syslogd_t)
> +kernel_read_network_state(syslogd_t)
>  kernel_read_kernel_sysctls(syslogd_t)
>  kernel_read_proc_symlinks(syslogd_t)
>  # Allow access to /proc/kmsg for syslog-ng
> 


-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com