From: pebenito@ieee.org (Chris PeBenito) Date: Tue, 18 Apr 2017 21:07:40 -0400 Subject: [refpolicy] [PATCH] logging patches In-Reply-To: <20170417120153.pbqojfbnonzgstyz@athena.coker.com.au> References: <20170417120153.pbqojfbnonzgstyz@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/17/2017 08:01 AM, Russell Coker via refpolicy wrote: > Patches for logrotate, webalizer, sysstat, and logwatch. Merged with some line moving. > --- refpolicy-2.20170417.orig/policy/modules/contrib/logrotate.te > +++ refpolicy-2.20170417/policy/modules/contrib/logrotate.te > @@ -36,7 +36,7 @@ role system_r types logrotate_mail_t; > # Local policy > # > > -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; > +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_nice sys_resource }; Dropped this as it needs justification. > allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap }; > allow logrotate_t self:fd use; > allow logrotate_t self:key manage_key_perms; > @@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t) > fs_search_auto_mountpoints(logrotate_t) > fs_getattr_xattr_fs(logrotate_t) > fs_list_inotifyfs(logrotate_t) > +fs_getattr_tmpfs(logrotate_t) > > mls_file_read_all_levels(logrotate_t) > mls_file_write_all_levels(logrotate_t) > @@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t) > auth_use_nsswitch(logrotate_t) > > init_all_labeled_script_domtrans(logrotate_t) > +init_startstop_all_script_services(logrotate_t) > init_get_generic_units_status(logrotate_t) > init_get_all_units_status(logrotate_t) > +init_get_system_status(logrotate_t) > init_dbus_chat(logrotate_t) > init_stream_connect(logrotate_t) > init_manage_all_units(logrotate_t) > @@ -218,6 +221,7 @@ optional_policy(` > optional_policy(` > mysql_read_config(logrotate_t) > mysql_stream_connect(logrotate_t) > + mysql_signal(logrotate_t) > ') > > optional_policy(` > --- refpolicy-2.20170417.orig/policy/modules/contrib/webalizer.te > +++ refpolicy-2.20170417/policy/modules/contrib/webalizer.te > @@ -22,6 +22,9 @@ files_tmp_file(webalizer_tmp_t) > type webalizer_var_lib_t; > files_type(webalizer_var_lib_t) > > +type webalizer_log_t; > +logging_log_file(webalizer_log_t) > + > ######################################## > # > # Local policy > @@ -36,11 +39,15 @@ allow webalizer_t self:unix_stream_socke > allow webalizer_t self:tcp_socket { accept listen }; > > allow webalizer_t webalizer_etc_t:file read_file_perms; > +files_read_usr_files(webalizer_t) > > manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) > manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) > files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) > > +manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) > +manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) > + > manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t) > files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file) > > --- refpolicy-2.20170417.orig/policy/modules/contrib/sysstat.te > +++ refpolicy-2.20170417/policy/modules/contrib/sysstat.te > @@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_ov > allow sysstat_t self:fifo_file rw_fifo_file_perms; > > manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) > -append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) > -create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) > +manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) > setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) > manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) > logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) > @@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t) > kernel_read_rpc_sysctls(sysstat_t) > > corecmd_exec_bin(sysstat_t) > +corecmd_exec_shell(sysstat_t) > > dev_read_sysfs(sysstat_t) > +dev_getattr_sysfs(sysstat_t) > dev_read_urand(sysstat_t) > > files_search_var(sysstat_t) > files_read_etc_runtime_files(sysstat_t) > +files_search_all_mountpoints(sysstat_t) > > fs_getattr_xattr_fs(sysstat_t) > fs_list_inotifyfs(sysstat_t) > @@ -66,4 +68,5 @@ userdom_dontaudit_list_user_home_dirs(sy > > optional_policy(` > cron_system_entry(sysstat_t, sysstat_exec_t) > + cron_rw_tmp_files(sysstat_t) > ') > --- refpolicy-2.20170417.orig/policy/modules/contrib/logwatch.te > +++ refpolicy-2.20170417/policy/modules/contrib/logwatch.te > @@ -160,6 +160,10 @@ optional_policy(` > ') > > optional_policy(` > + raid_domtrans_mdadm(logwatch_t) > +') > + > +optional_policy(` > rpc_search_nfs_state_data(logwatch_t) > ') > > @@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t) > > optional_policy(` > cron_use_system_job_fds(logwatch_mail_t) > + cron_rw_system_job_pipes(logwatch_mail_t) > ') -- Chris PeBenito