From: aranea@aixah.de (Luis Ressel) Date: Tue, 12 Sep 2017 03:58:56 +0200 Subject: [refpolicy] [PATCH 2/3] logging: Label /etc/audisp as auditd_etc_t In-Reply-To: <4d10ffc3-741f-9195-c31b-083b19cfe6b4@ieee.org> References: <20170911220239.1953-1-aranea@aixah.de> <20170911220239.1953-2-aranea@aixah.de> <4d10ffc3-741f-9195-c31b-083b19cfe6b4@ieee.org> Message-ID: <20170912035856.3d7fc9c2@vega.skynet.aixah.de> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 11 Sep 2017 20:19:23 -0400 Chris PeBenito via refpolicy wrote: > On 09/11/2017 06:02 PM, Luis Ressel via refpolicy wrote: > > --- > > policy/modules/system/logging.fc | 1 + > > policy/modules/system/logging.te | 1 + > > 2 files changed, 2 insertions(+) > > > > diff --git a/policy/modules/system/logging.fc > > b/policy/modules/system/logging.fc index 0d8a4173..5c166aa9 100644 > > --- a/policy/modules/system/logging.fc > > +++ b/policy/modules/system/logging.fc > > @@ -3,6 +3,7 @@ > > /etc/rsyslog.conf > > gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf > > gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? > > gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) > > +/etc/audisp(/.*)? > > gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd > > -- > > gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog > > -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) > > diff --git a/policy/modules/system/logging.te > > b/policy/modules/system/logging.te index 47280f44..bbb01137 100644 > > --- a/policy/modules/system/logging.te +++ > > b/policy/modules/system/logging.te @@ -261,6 +261,7 @@ > > files_read_etc_runtime_files(audisp_t) > > mls_file_write_all_levels(audisp_t) > > +logging_read_audit_config(audisp_t) > > logging_send_syslog_msg(audisp_t) > > > > miscfiles_read_localization(audisp_t) > > I'm not clear why this is needed. I don't think this config should > be lumped in with auditd_etc_t, which includes audit rules (hence is > system high). The configuration for the dispatcher is not sensitive > nor security files like audit rules are. > Sorry, on further consideration I agree with you. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 833 bytes Desc: OpenPGP digital signature Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170912/7ace0651/attachment.bin