From: dac.override@gmail.com (Dominick Grift) Date: Mon, 28 Mar 2016 16:45:10 +0200 Subject: [refpolicy] [PATCH] systemd: Add support for --log-target Message-ID: <1459176310-11343-1-git-send-email-dac.override@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target= see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22 Signed-off-by: Dominick Grift --- policy/modules/system/systemd.if | 19 ++++++++++++++++++ policy/modules/system/systemd.te | 43 +++++++++++++++++++++++++++------------- 2 files changed, 48 insertions(+), 14 deletions(-) diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if index 3cd6670..705cbaa 100644 --- a/policy/modules/system/systemd.if +++ b/policy/modules/system/systemd.if @@ -2,6 +2,25 @@ ###################################### ## +## Make the specified type usable as an +## log parse environment type. +## +## +## +## Type to be used as a log parse environment type. +## +## +# +interface(`systemd_log_parse_environment',` + gen_require(` + attribute systemd_log_parse_env_type; + ') + + typeattribute $1 systemd_log_parse_env_type; +') + +###################################### +## ## Read systemd_login PID files. ## ## diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te index 60a75fa..63f1a9b 100644 --- a/policy/modules/system/systemd.te +++ b/policy/modules/system/systemd.te @@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3) ## gen_tunable(systemd_tmpfiles_manage_all, false) +attribute systemd_log_parse_env_type; + type systemd_activate_t; type systemd_activate_exec_t; init_system_domain(systemd_activate_t, systemd_activate_exec_t) @@ -113,16 +115,32 @@ init_unit_file(power_unit_t) ###################################### # +# systemd log parse enviroment +# + +dontaudit systemd_log_parse_env_type self:capability net_admin; + +kernel_read_system_state(systemd_log_parse_env_type) + +dev_write_kmsg(systemd_log_parse_env_type) + +term_use_console(systemd_log_parse_env_type) + +init_read_state(systemd_log_parse_env_type) + +logging_send_syslog_msg(systemd_log_parse_env_type) + +###################################### +# # Cgroups local policy # kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) +kernel_dgram_send(systemd_cgroups_t) init_stream_connect(systemd_cgroups_t) -logging_send_syslog_msg(systemd_cgroups_t) - -kernel_dgram_send(systemd_cgroups_t) +systemd_log_parse_environment(systemd_cgroups_t) ####################################### # @@ -133,10 +151,10 @@ kernel_read_kernel_sysctls(systemd_locale_t) files_read_etc_files(systemd_locale_t) -logging_send_syslog_msg(systemd_locale_t) - seutil_read_file_contexts(systemd_locale_t) +systemd_log_parse_environment(systemd_locale_t) + optional_policy(` dbus_connect_system_bus(systemd_locale_t) dbus_system_bus_client(systemd_locale_t) @@ -151,10 +169,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t) files_read_etc_files(systemd_hostnamed_t) -logging_send_syslog_msg(systemd_hostnamed_t) - seutil_read_file_contexts(systemd_hostnamed_t) +systemd_log_parse_environment(systemd_hostnamed_t) + optional_policy(` dbus_system_bus_client(systemd_hostnamed_t) dbus_connect_system_bus(systemd_hostnamed_t) @@ -207,13 +225,10 @@ init_start_all_units(systemd_logind_t) init_stop_all_units(systemd_logind_t) init_service_status(systemd_logind_t) init_service_start(systemd_logind_t) -# This is for reading /proc/1/cgroup -init_read_state(systemd_logind_t) locallogin_read_state(systemd_logind_t) -logging_send_syslog_msg(systemd_logind_t) - +systemd_log_parse_environment(systemd_logind_t) systemd_start_power_units(systemd_logind_t) udev_read_db(systemd_logind_t) @@ -234,7 +249,7 @@ optional_policy(` allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) -logging_send_syslog_msg(systemd_sessions_t) +systemd_log_parse_environment(systemd_sessions_t) ######################################### # @@ -260,10 +275,10 @@ auth_manage_login_records(systemd_tmpfiles_t) auth_relabel_login_records(systemd_tmpfiles_t) auth_setattr_login_records(systemd_tmpfiles_t) -logging_send_syslog_msg(systemd_tmpfiles_t) - seutil_read_file_contexts(systemd_tmpfiles_t) +systemd_log_parse_environment(systemd_tmpfiles_t) + tunable_policy(`systemd_tmpfiles_manage_all',` # systemd-tmpfiles can be configured to manage anything. # have a last-resort option for users to do this. -- 2.5.5