trunk: fedora update cherry picked by david hardeman.

2008-08-22 15:17:01 +00:00 · 2008-08-22 15:17:01 +00:00 · c11057f7ae
commit c11057f7ae
parent 32f8ff393b
4 changed files with 260 additions and 36 deletions
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@ -1,5 +1,5 @@

-policy_module(setroubleshoot, 1.7.0)
+policy_module(setroubleshoot, 1.7.1)

 ########################################
 #
@ -98,7 +98,7 @@ miscfiles_read_localization(setroubleshootd_t)
 locallogin_dontaudit_use_fds(setroubleshootd_t)

 logging_send_syslog_msg(setroubleshootd_t)
-logging_stream_connect_auditd(setroubleshootd_t)
+logging_stream_connect_dispatcher(setroubleshootd_t)

 seutil_read_config(setroubleshootd_t)
 seutil_read_file_contexts(setroubleshootd_t)
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@ -4,6 +4,8 @@
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)

+/sbin/audispd		--	gen_context(system_u:object_r:audisp_exec_t,s0)
+/sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
@ -20,6 +22,7 @@
 /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)

+/var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)

 ifdef(`distro_suse', `
@ -28,6 +31,7 @@ ifdef(`distro_suse', `

 /var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
+/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)

 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
@ -37,7 +41,7 @@ ifdef(`distro_suse', `
 /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-/var/log/syslog-ng(/.*)? --	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,s0)

 ifndef(`distro_gentoo',`
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@ -48,7 +52,7 @@ ifdef(`distro_redhat',`
 ')

 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@ -213,12 +213,97 @@ interface(`logging_run_auditd',`
 ## </param>
 #
 interface(`logging_stream_connect_auditd',`
+	refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
+	logging_stream_connect_dispatcher($1)
+')
+
+########################################
+## <summary>
+##	Execute a domain transition to run the audit dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_domtrans_dispatcher',`
 	gen_require(`
-		type auditd_t, auditd_var_run_t;
+		type audisp_t, audisp_exec_t;
+	')
+
+	domtrans_pattern($1, audisp_exec_t, audisp_t)
+')
+
+########################################
+## <summary>
+##	Signal the audit dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+##	Domain allowed to transition.
+## </summary>
+## </param>
+#
+interface(`logging_signal_dispatcher',`
+	gen_require(`
+		type audisp_t;
+	')
+
+	allow $1 audisp_t:process signal;
+')
+
+########################################
+## <summary>
+##	Create a domain for processes
+##	which can be started by the system audit dispatcher
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Type to be used as a domain.
+##	</summary>
+## </param>
+## <param name="entry_point">
+##	<summary>
+##	Type of the program to be used as an entry point to this domain.
+##	</summary>
+## </param>
+#
+interface(`logging_dispatcher_domain',`
+	gen_require(`
+		type audisp_t;
+		role system_r;
+	')
+
+	domain_type($1)
+	domain_entry_file($1, $2)
+
+	role system_r types $1;
+
+	domtrans_pattern(audisp_t, $2, $1)
+	allow $1 audisp_t:process signal;
+
+	allow audisp_t $2:file getattr;
+	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+## <summary>
+##	Connect to the audit dispatcher over an unix stream socket.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_stream_connect_dispatcher',`
+	gen_require(`
+		type audisp_t, audisp_var_run_t;
 	')

 	files_search_pids($1)
-	stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+	stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
 ')

 ########################################
@ -530,8 +615,7 @@ interface(`logging_append_all_logs',`
 	')

 	files_search_var($1)
-	allow $1 var_log_t:dir list_dir_perms;
-	allow $1 logfile:file { getattr append };
+	append_files_pattern($1, var_log_t, logfile)
 ')

 ########################################
@ -577,6 +661,25 @@ interface(`logging_exec_all_logs',`
 	can_exec($1,logfile)
 ')

+########################################
+## <summary>
+##	read/write to all log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_rw_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	files_search_var($1)
+	rw_files_pattern($1, logfile, logfile)
+')
+
 ########################################
 ## <summary>
 ##	Create, read, write, and delete all log files.
@ -639,6 +742,24 @@ interface(`logging_write_generic_logs',`
 	write_files_pattern($1,var_log_t,var_log_t)
 ')

+########################################
+## <summary>
+##	Dontaudit Write generic log files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_dontaudit_write_generic_logs',`
+	gen_require(`
+		type var_log_t;
+	')
+
+	dontaudit $1 var_log_t:file write;
+')
+
 ########################################
 ## <summary>
 ##	Read and write generic log files.
@ -690,6 +811,16 @@ interface(`logging_manage_generic_logs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	User role allowed access.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	User terminal type.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`logging_admin_audit',`
@ -709,6 +840,8 @@ interface(`logging_admin_audit',`

 	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
 	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+
+	logging_run_auditctl($1, $2, $3)
 ')

 ########################################
@ -768,9 +901,19 @@ interface(`logging_admin_syslog',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="role">
+##	<summary>
+##	User role allowed access.
+##	</summary>
+## </param>
+## <param name="terminal">
+##	<summary>
+##	User terminal type.
+##	</summary>
+## </param>
 ## <rolecap/>
 #
 interface(`logging_admin',`
-	logging_admin_audit($1)
+	logging_admin_audit($1, $2, $3)
 	logging_admin_syslog($1)
 ')
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -1,5 +1,5 @@

-policy_module(logging, 1.11.1)
+policy_module(logging, 1.11.2)

 ########################################
 #
@ -27,6 +27,17 @@ init_daemon_domain(auditd_t,auditd_exec_t)
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)

+type audisp_t;
+type audisp_exec_t;
+init_system_domain(audisp_t, audisp_exec_t)
+
+type audisp_var_run_t;
+files_pid_file(audisp_var_run_t)
+
+type audisp_remote_t;
+type audisp_remote_exec_t;
+logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
+
 type devlog_t;
 files_type(devlog_t)
 mls_trusted_object(devlog_t)
@ -62,7 +73,8 @@ logging_log_file(var_log_t)
 files_mountpoint(var_log_t)

 ifdef(`enable_mls',`
-	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
+	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
 ')

 ########################################
@ -150,6 +162,8 @@ init_telinit(auditd_t)

 logging_set_audit_parameters(auditd_t)
 logging_send_syslog_msg(auditd_t)
+logging_domtrans_dispatcher(auditd_t)
+logging_signal_dispatcher(auditd_t)

 libs_use_ld_so(auditd_t)
 libs_use_shared_libs(auditd_t)
@ -161,6 +175,8 @@ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ dire

 seutil_dontaudit_read_config(auditd_t)

+sysnet_dns_name_resolve(auditd_t)
+
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)

 sysadm_dontaudit_search_home_dirs(auditd_t)
@ -171,6 +187,10 @@ ifdef(`distro_ubuntu',`
 	')
 ')

+optional_policy(`
+	mta_send_mail(auditd_t)
+')
+
 optional_policy(`
 	seutil_sigchld_newrole(auditd_t)
 ')
@ -179,6 +199,60 @@ optional_policy(`
 	udev_read_db(auditd_t)
 ')

+########################################
+#
+# audit dispatcher local policy
+#
+
+allow audisp_t self:capability sys_nice;
+allow audisp_t self:process setsched;
+allow audisp_t self:fifo_file rw_file_perms;
+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
+
+manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+
+corecmd_search_bin(audisp_t)
+
+domain_use_interactive_fds(audisp_t)
+
+files_read_etc_files(audisp_t)
+
+mls_file_write_all_levels(audisp_t)
+
+libs_use_ld_so(audisp_t)
+libs_use_shared_libs(audisp_t)
+
+logging_send_syslog_msg(audisp_t)
+
+miscfiles_read_localization(audisp_t)
+
+########################################
+#
+# Audit remote logger local policy
+#
+
+allow audisp_remote_t self:tcp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(audisp_remote_t)
+corenet_all_recvfrom_netlabel(audisp_remote_t)
+corenet_tcp_sendrecv_all_if(audisp_remote_t)
+corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+
+files_read_etc_files(audisp_remote_t)
+
+libs_use_ld_so(audisp_remote_t)
+libs_use_shared_libs(audisp_remote_t)
+
+logging_send_syslog_msg(audisp_remote_t)
+
+miscfiles_read_localization(audisp_remote_t)
+
+sysnet_dns_name_resolve(audisp_remote_t)
+
 ########################################
 #
 # klogd local policy
@ -253,7 +327,6 @@ allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_a
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 allow syslogd_t self:process { signal_perms setpgid };
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@ -290,6 +363,7 @@ files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
 manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)

+kernel_read_system_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng
@ -297,20 +371,6 @@ kernel_read_messages(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)

-dev_filetrans(syslogd_t,devlog_t,sock_file)
-dev_read_sysfs(syslogd_t)
-
-fs_search_auto_mountpoints(syslogd_t)
-
-term_write_console(syslogd_t)
-# Allow syslog to a terminal
-term_write_unallocated_ttys(syslogd_t)
-
-# for sending messages to logged in users
-init_read_utmp(syslogd_t)
-init_dontaudit_write_utmp(syslogd_t)
-term_write_all_user_ttys(syslogd_t)
-
 corenet_all_recvfrom_unlabeled(syslogd_t)
 corenet_all_recvfrom_netlabel(syslogd_t)
 corenet_udp_sendrecv_all_if(syslogd_t)
@ -328,22 +388,45 @@ corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
 corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_postgresql_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)

 # syslog-ng can send or receive logs
 corenet_sendrecv_syslogd_client_packets(syslogd_t)
 corenet_sendrecv_syslogd_server_packets(syslogd_t)
+corenet_sendrecv_postgresql_client_packets(syslogd_t)
+corenet_sendrecv_mysqld_client_packets(syslogd_t)

-fs_getattr_all_fs(syslogd_t)
-
-init_use_fds(syslogd_t)
+dev_filetrans(syslogd_t,devlog_t,sock_file)
+dev_read_sysfs(syslogd_t)

 domain_use_interactive_fds(syslogd_t)

 files_read_etc_files(syslogd_t)
+files_read_usr_files(syslogd_t)
 files_read_var_files(syslogd_t)
 files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dirs(syslogd_t)
+files_read_kernel_symbol_table(syslogd_t)
+
+fs_getattr_all_fs(syslogd_t)
+fs_search_auto_mountpoints(syslogd_t)
+
+mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+
+term_write_console(syslogd_t)
+# Allow syslog to a terminal
+term_write_unallocated_ttys(syslogd_t)
+
+# for sending messages to logged in users
+init_read_utmp(syslogd_t)
+init_dontaudit_write_utmp(syslogd_t)
+term_write_all_user_ttys(syslogd_t)
+
+auth_use_nsswitch(syslogd_t)
+
+init_use_fds(syslogd_t)

 libs_use_ld_so(syslogd_t)
 libs_use_shared_libs(syslogd_t)
@ -351,8 +434,6 @@ libs_use_shared_libs(syslogd_t)
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)

-sysnet_read_config(syslogd_t)
-
 miscfiles_read_localization(syslogd_t)

 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
@ -382,11 +463,7 @@ optional_policy(`
 ')

 optional_policy(`
-	nis_use_ypbind(syslogd_t)
-')
-
-optional_policy(`
-	nscd_socket_use(syslogd_t)
+	postgresql_stream_connect(syslogd_t)
 ')

 optional_policy(`