From: dsugar@tresys.com (David Sugar) Date: Sat, 9 Sep 2017 02:30:37 +0000 Subject: [refpolicy] [PATCH-v2 1/1] Label /etc/rsyslog.d as syslog_conf_t Message-ID: <1B50C12ACFF4CB42B90D2581155DF50205B4F81A@Exchange10.columbia.tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com This is a minor update of the last attempt at this patch. Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t. The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files. Dave Sugar dsugar at tresys.com Signed-off-by: Dave Sugar --- policy/modules/system/logging.fc | 1 + policy/modules/system/logging.if | 3 ++- policy/modules/system/logging.te | 1 + 3 files changed, 4 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 0d8a4173..b8df5fe7 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -2,6 +2,7 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 8633dfc4..90be7596 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -1250,7 +1250,8 @@ interface(`logging_admin_syslog',` manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) manage_files_pattern($1, syslog_conf_t, syslog_conf_t) - files_etc_filetrans($1, syslog_conf_t, file) + files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") + files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 5eeaece1..7d0a71d2 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket create_socket_perms; allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; +allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. allow syslogd_t devlog_t:sock_file manage_sock_file_perms; -- 2.13.5