From: pebenito@ieee.org (Chris PeBenito) Date: Fri, 8 Sep 2017 11:48:25 -0400 Subject: [refpolicy] [PATCH 1/1] Label /etc/rsyslog.d In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4E99B@Exchange10.columbia.tresys.com> References: <1B50C12ACFF4CB42B90D2581155DF50205B4E99B@Exchange10.columbia.tresys.com> Message-ID: <0b8dce3b-701b-ff9d-317b-6ae3708eae41@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/07/2017 10:47 AM, David Sugar via refpolicy wrote: > The directory /etc/rsyslog.d is used by rsyslog for drop-in configuration files (referenced by the default /etc/rsyslog.conf). Label as syslog_conf_t to match /etc/rsyslog.conf labeling. > > > Signed-off-by: Dave Sugar > --- > policy/modules/system/logging.fc | 1 + > policy/modules/system/logging.te | 1 + > 2 files changed, 2 insertions(+) > > diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc > index 0d8a4173..b8df5fe7 100644 > --- a/policy/modules/system/logging.fc > +++ b/policy/modules/system/logging.fc > @@ -2,6 +2,7 @@ > > /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) > /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) > +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) > /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) > /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) > /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) > diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te > index 5eeaece1..7d0a71d2 100644 > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket create_socket_perms; > allow syslogd_t self:tcp_socket create_stream_socket_perms; > > allow syslogd_t syslog_conf_t:file read_file_perms; > +allow syslogd_t syslog_conf_t:dir list_dir_perms; > > # Create and bind to /dev/log or /var/run/log. > allow syslogd_t devlog_t:sock_file manage_sock_file_perms; I'm not clear why this is needed when the directory would be etc_t otherwise, which syslog can already list. -- Chris PeBenito