From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 11 Sep 2017 20:26:22 -0400 Subject: [refpolicy] [PATCH-v2 1/1] Label /etc/rsyslog.d as syslog_conf_t In-Reply-To: <1B50C12ACFF4CB42B90D2581155DF50205B4F81A@Exchange10.columbia.tresys.com> References: <1B50C12ACFF4CB42B90D2581155DF50205B4F81A@Exchange10.columbia.tresys.com> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/08/2017 10:30 PM, David Sugar via refpolicy wrote: > This is a minor update of the last attempt at this patch. > > Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t. > > The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files. > > Dave Sugar > dsugar at tresys.com > > Signed-off-by: Dave Sugar > --- > policy/modules/system/logging.fc | 1 + > policy/modules/system/logging.if | 3 ++- > policy/modules/system/logging.te | 1 + > 3 files changed, 4 insertions(+), 1 deletion(-) > > diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc > index 0d8a4173..b8df5fe7 100644 > --- a/policy/modules/system/logging.fc > +++ b/policy/modules/system/logging.fc > @@ -2,6 +2,7 @@ > > /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) > /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) > +/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) > /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) > /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) > /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) > diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if > index 8633dfc4..90be7596 100644 > --- a/policy/modules/system/logging.if > +++ b/policy/modules/system/logging.if > @@ -1250,7 +1250,8 @@ interface(`logging_admin_syslog',` > > manage_dirs_pattern($1, syslog_conf_t, syslog_conf_t) > manage_files_pattern($1, syslog_conf_t, syslog_conf_t) > - files_etc_filetrans($1, syslog_conf_t, file) > + files_etc_filetrans($1, syslog_conf_t, file, "rsyslog.conf") > + files_etc_filetrans($1, syslog_conf_t, file, "syslog.conf") > > manage_dirs_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) > manage_files_pattern($1, syslogd_var_lib_t, syslogd_var_lib_t) > diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te > index 5eeaece1..7d0a71d2 100644 > --- a/policy/modules/system/logging.te > +++ b/policy/modules/system/logging.te > @@ -394,6 +394,7 @@ allow syslogd_t self:udp_socket create_socket_perms; > allow syslogd_t self:tcp_socket create_stream_socket_perms; > > allow syslogd_t syslog_conf_t:file read_file_perms; > +allow syslogd_t syslog_conf_t:dir list_dir_perms; > > # Create and bind to /dev/log or /var/run/log. > allow syslogd_t devlog_t:sock_file manage_sock_file_perms; Merged. -- Chris PeBenito