Patches for logrotate, webalizer, sysstat, and logwatch.
--- refpolicy-2.20170417.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20170417/policy/modules/contrib/logrotate.te
@@ -36,7 +36,7 @@ role system_r types logrotate_mail_t;
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_nice sys_resource };
allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
@@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t)
fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
+fs_getattr_tmpfs(logrotate_t)
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
@@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_startstop_all_script_services(logrotate_t)
init_get_generic_units_status(logrotate_t)
init_get_all_units_status(logrotate_t)
+init_get_system_status(logrotate_t)
init_dbus_chat(logrotate_t)
init_stream_connect(logrotate_t)
init_manage_all_units(logrotate_t)
@@ -218,6 +221,7 @@ optional_policy(`
optional_policy(`
mysql_read_config(logrotate_t)
mysql_stream_connect(logrotate_t)
+ mysql_signal(logrotate_t)
')
optional_policy(`
--- refpolicy-2.20170417.orig/policy/modules/contrib/webalizer.te
+++ refpolicy-2.20170417/policy/modules/contrib/webalizer.te
@@ -22,6 +22,9 @@ files_tmp_file(webalizer_tmp_t)
type webalizer_var_lib_t;
files_type(webalizer_var_lib_t)
+type webalizer_log_t;
+logging_log_file(webalizer_log_t)
+
########################################
#
# Local policy
@@ -36,11 +39,15 @@ allow webalizer_t self:unix_stream_socke
allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+files_read_usr_files(webalizer_t)
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+
manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
--- refpolicy-2.20170417.orig/policy/modules/contrib/sysstat.te
+++ refpolicy-2.20170417/policy/modules/contrib/sysstat.te
@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_ov
allow sysstat_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
corecmd_exec_bin(sysstat_t)
+corecmd_exec_shell(sysstat_t)
dev_read_sysfs(sysstat_t)
+dev_getattr_sysfs(sysstat_t)
dev_read_urand(sysstat_t)
files_search_var(sysstat_t)
files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
@@ -66,4 +68,5 @@ userdom_dontaudit_list_user_home_dirs(sy
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
+ cron_rw_tmp_files(sysstat_t)
')
--- refpolicy-2.20170417.orig/policy/modules/contrib/logwatch.te
+++ refpolicy-2.20170417/policy/modules/contrib/logwatch.te
@@ -160,6 +160,10 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
@@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t)
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
+ cron_rw_system_job_pipes(logwatch_mail_t)
')
On 04/17/2017 08:01 AM, Russell Coker via refpolicy wrote:
> Patches for logrotate, webalizer, sysstat, and logwatch.
Merged with some line moving.
> --- refpolicy-2.20170417.orig/policy/modules/contrib/logrotate.te
> +++ refpolicy-2.20170417/policy/modules/contrib/logrotate.te
> @@ -36,7 +36,7 @@ role system_r types logrotate_mail_t;
> # Local policy
> #
>
> -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill net_admin setgid setuid sys_nice sys_resource };
Dropped this as it needs justification.
> allow logrotate_t self:process ~{ ptrace setcurrent setexec execmem execstack execheap };
> allow logrotate_t self:fd use;
> allow logrotate_t self:key manage_key_perms;
> @@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t)
> fs_search_auto_mountpoints(logrotate_t)
> fs_getattr_xattr_fs(logrotate_t)
> fs_list_inotifyfs(logrotate_t)
> +fs_getattr_tmpfs(logrotate_t)
>
> mls_file_read_all_levels(logrotate_t)
> mls_file_write_all_levels(logrotate_t)
> @@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t)
> auth_use_nsswitch(logrotate_t)
>
> init_all_labeled_script_domtrans(logrotate_t)
> +init_startstop_all_script_services(logrotate_t)
> init_get_generic_units_status(logrotate_t)
> init_get_all_units_status(logrotate_t)
> +init_get_system_status(logrotate_t)
> init_dbus_chat(logrotate_t)
> init_stream_connect(logrotate_t)
> init_manage_all_units(logrotate_t)
> @@ -218,6 +221,7 @@ optional_policy(`
> optional_policy(`
> mysql_read_config(logrotate_t)
> mysql_stream_connect(logrotate_t)
> + mysql_signal(logrotate_t)
> ')
>
> optional_policy(`
> --- refpolicy-2.20170417.orig/policy/modules/contrib/webalizer.te
> +++ refpolicy-2.20170417/policy/modules/contrib/webalizer.te
> @@ -22,6 +22,9 @@ files_tmp_file(webalizer_tmp_t)
> type webalizer_var_lib_t;
> files_type(webalizer_var_lib_t)
>
> +type webalizer_log_t;
> +logging_log_file(webalizer_log_t)
> +
> ########################################
> #
> # Local policy
> @@ -36,11 +39,15 @@ allow webalizer_t self:unix_stream_socke
> allow webalizer_t self:tcp_socket { accept listen };
>
> allow webalizer_t webalizer_etc_t:file read_file_perms;
> +files_read_usr_files(webalizer_t)
>
> manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
> manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
> files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })
>
> +manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
> +manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
> +
> manage_files_pattern(webalizer_t, webalizer_var_lib_t, webalizer_var_lib_t)
> files_var_lib_filetrans(webalizer_t, webalizer_var_lib_t, file)
>
> --- refpolicy-2.20170417.orig/policy/modules/contrib/sysstat.te
> +++ refpolicy-2.20170417/policy/modules/contrib/sysstat.te
> @@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_ov
> allow sysstat_t self:fifo_file rw_fifo_file_perms;
>
> manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
> -append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
> -create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
> +manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
> setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
> manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
> logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
> @@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)
> kernel_read_rpc_sysctls(sysstat_t)
>
> corecmd_exec_bin(sysstat_t)
> +corecmd_exec_shell(sysstat_t)
>
> dev_read_sysfs(sysstat_t)
> +dev_getattr_sysfs(sysstat_t)
> dev_read_urand(sysstat_t)
>
> files_search_var(sysstat_t)
> files_read_etc_runtime_files(sysstat_t)
> +files_search_all_mountpoints(sysstat_t)
>
> fs_getattr_xattr_fs(sysstat_t)
> fs_list_inotifyfs(sysstat_t)
> @@ -66,4 +68,5 @@ userdom_dontaudit_list_user_home_dirs(sy
>
> optional_policy(`
> cron_system_entry(sysstat_t, sysstat_exec_t)
> + cron_rw_tmp_files(sysstat_t)
> ')
> --- refpolicy-2.20170417.orig/policy/modules/contrib/logwatch.te
> +++ refpolicy-2.20170417/policy/modules/contrib/logwatch.te
> @@ -160,6 +160,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + raid_domtrans_mdadm(logwatch_t)
> +')
> +
> +optional_policy(`
> rpc_search_nfs_state_data(logwatch_t)
> ')
>
> @@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t)
>
> optional_policy(`
> cron_use_system_job_fds(logwatch_mail_t)
> + cron_rw_system_job_pipes(logwatch_mail_t)
> ')
--
Chris PeBenito