From: dsugar@tresys.com (David Sugar) Date: Fri, 8 Sep 2017 16:10:19 +0000 Subject: [refpolicy] [PATCH 1/1] Label /etc/rsyslog.d In-Reply-To: <0b8dce3b-701b-ff9d-317b-6ae3708eae41@ieee.org> References: <1B50C12ACFF4CB42B90D2581155DF50205B4E99B@Exchange10.columbia.tresys.com> <0b8dce3b-701b-ff9d-317b-6ae3708eae41@ieee.org> Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B4F4D4@Exchange10.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com > -----Original Message----- > From: Chris PeBenito [mailto:pebenito at ieee.org] > Sent: Friday, September 08, 2017 11:48 AM > To: David Sugar; refpolicy at oss.tresys.com > Subject: Re: [refpolicy] [PATCH 1/1] Label /etc/rsyslog.d > > On 09/07/2017 10:47 AM, David Sugar via refpolicy wrote: > > The directory /etc/rsyslog.d is used by rsyslog for drop-in > configuration files (referenced by the default /etc/rsyslog.conf). > Label as syslog_conf_t to match /etc/rsyslog.conf labeling. > > > > > > Signed-off-by: Dave Sugar > > --- > > policy/modules/system/logging.fc | 1 + > > policy/modules/system/logging.te | 1 + > > 2 files changed, 2 insertions(+) > > > > diff --git a/policy/modules/system/logging.fc > > b/policy/modules/system/logging.fc > > index 0d8a4173..b8df5fe7 100644 > > --- a/policy/modules/system/logging.fc > > +++ b/policy/modules/system/logging.fc > > @@ -2,6 +2,7 @@ > > > > /etc/rsyslog.conf > gen_context(system_u:object_r:syslog_conf_t,s0) > > /etc/syslog.conf > gen_context(system_u:object_r:syslog_conf_t,s0) > > +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) > > /etc/audit(/.*)? > gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) > > /etc/rc\.d/init\.d/auditd -- > gen_context(system_u:object_r:auditd_initrc_exec_t,s0) > > /etc/rc\.d/init\.d/rsyslog -- > gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) > > diff --git a/policy/modules/system/logging.te > > b/policy/modules/system/logging.te > > index 5eeaece1..7d0a71d2 100644 > > --- a/policy/modules/system/logging.te > > +++ b/policy/modules/system/logging.te > > @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket > create_socket_perms; > > allow syslogd_t self:tcp_socket create_stream_socket_perms; > > > > allow syslogd_t syslog_conf_t:file read_file_perms; > > +allow syslogd_t syslog_conf_t:dir list_dir_perms; > > > > # Create and bind to /dev/log or /var/run/log. > > allow syslogd_t devlog_t:sock_file manage_sock_file_perms; > > I'm not clear why this is needed when the directory would be etc_t > otherwise, which syslog can already list. > Good point, I didn't make that clear in the text. A domain that has access to edit/create files of syslog_conf_t would not be able to edit files in /etc/rsyslog.d/ as they are etc_t (as you pointed out). And granting permission to edit etc_t files seems like a bit too much access. The change to the .fc file labels the directory (and contained files) syslog_conf_t so all the syslog config files have the same type. The change to the .if file to grant access to directory list permission was needed by rsyslog as it was (I assume) enumerating files in the directory. I also have a change (which I planned to submit separately) also in logging.if the interface logging_admin_syslog to add a filename to the 'files_etc_filetrans'. I was having a problem with a process that was creating files in an etc_t directory (that are not syslog config files) getting labeled syslog_conf_t. Maybe these two changes really are related and should be one patch. Dave Sugar > -- > Chris PeBenito