From: pebenito@ieee.org (Chris PeBenito)
Date: Fri, 8 Sep 2017 11:48:25 -0400
Subject: [refpolicy] [PATCH 1/1] Label /etc/rsyslog.d
In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4E99B@Exchange10.columbia.tresys.com>
References: <1B50C12ACFF4CB42B90D2581155DF50205B4E99B@Exchange10.columbia.tresys.com>
Message-ID: <0b8dce3b-701b-ff9d-317b-6ae3708eae41@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 09/07/2017 10:47 AM, David Sugar via refpolicy wrote:
> The directory /etc/rsyslog.d is used by rsyslog for drop-in configuration files (referenced by the default /etc/rsyslog.conf).  Label as syslog_conf_t to match /etc/rsyslog.conf labeling.
> 
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/logging.fc | 1 +
>   policy/modules/system/logging.te | 1 +
>   2 files changed, 2 insertions(+)
> 
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index 0d8a4173..b8df5fe7 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -2,6 +2,7 @@
>   
>   /etc/rsyslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
>   /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
> +/etc/rsyslog.d(/.*)?	gen_context(system_u:object_r:syslog_conf_t,s0)
>   /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
>   /etc/rc\.d/init\.d/auditd --	gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
>   /etc/rc\.d/init\.d/rsyslog --	gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 5eeaece1..7d0a71d2 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket create_socket_perms;
>   allow syslogd_t self:tcp_socket create_stream_socket_perms;
>   
>   allow syslogd_t syslog_conf_t:file read_file_perms;
> +allow syslogd_t syslog_conf_t:dir list_dir_perms;
>   
>   # Create and bind to /dev/log or /var/run/log.
>   allow syslogd_t devlog_t:sock_file manage_sock_file_perms;

I'm not clear why this is needed when the directory would be etc_t 
otherwise, which syslog can already list.

-- 
Chris PeBenito