trunk: fedora update cherry picked by david hardeman.

2008-08-22 15:17:01 +00:00 · 2008-08-22 15:17:01 +00:00 · c11057f7ae
commit c11057f7ae
parent 32f8ff393b
4 changed files with 260 additions and 36 deletions
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@ -1,5 +1,5 @@
-policy_module(setroubleshoot, 1.7.0)
+policy_module(setroubleshoot, 1.7.1)
 ########################################
 #
@ -98,7 +98,7 @@ miscfiles_read_localization(setroubleshootd_t)
 locallogin_dontaudit_use_fds(setroubleshootd_t)
 logging_send_syslog_msg(setroubleshootd_t)
-logging_stream_connect_auditd(setroubleshootd_t)
+logging_stream_connect_dispatcher(setroubleshootd_t)
 seutil_read_config(setroubleshootd_t)
 seutil_read_file_contexts(setroubleshootd_t)
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@ -4,6 +4,8 @@
 /etc/syslog.conf		gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/audit(/.*)?		gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
 /sbin/audispd		--	gen_context(system_u:object_r:audisp_exec_t,s0)
 /sbin/audisp-remote	--	gen_context(system_u:object_r:audisp_remote_exec_t,s0)
 /sbin/auditctl		--	gen_context(system_u:object_r:auditctl_exec_t,s0)
 /sbin/auditd		--	gen_context(system_u:object_r:auditd_exec_t,s0)
 /sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
@ -20,6 +22,7 @@
 /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 ifdef(`distro_suse', `
@ -28,6 +31,7 @@ ifdef(`distro_suse', `
 /var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
@ -37,7 +41,7 @@ ifdef(`distro_suse', `
 /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-/var/log/syslog-ng(/.*)? --	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/log/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_run_t,s0)
 ifndef(`distro_gentoo',`
 /var/log/audit\.log	--	gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@ -48,7 +52,7 @@ ifdef(`distro_redhat',`
 ')
 /var/run/audit_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audispd_events	-s	gen_context(system_u:object_r:audisp_var_run_t,s0)
 /var/run/auditd\.pid	--	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,s0)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@ -213,12 +213,97 @@ interface(`logging_run_auditd',`
 ## </param>
 #
 interface(`logging_stream_connect_auditd',`
 	refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
 	logging_stream_connect_dispatcher($1)
 ')
 ########################################
 ## <summary>
 ##	Execute a domain transition to run the audit dispatcher.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`logging_domtrans_dispatcher',`
 	gen_require(`
-		type auditd_t, auditd_var_run_t;
+		type audisp_t, audisp_exec_t;
 	')
 	domtrans_pattern($1, audisp_exec_t, audisp_t)
 ')
 ########################################
 ## <summary>
 ##	Signal the audit dispatcher.
 ## </summary>
 ## <param name="domain">
 ## <summary>
 ##	Domain allowed to transition.
 ## </summary>
 ## </param>
 #
 interface(`logging_signal_dispatcher',`
 	gen_require(`
 		type audisp_t;
 	')
 	allow $1 audisp_t:process signal;
 ')
 ########################################
 ## <summary>
 ##	Create a domain for processes
 ##	which can be started by the system audit dispatcher
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Type to be used as a domain.
 ##	</summary>
 ## </param>
 ## <param name="entry_point">
 ##	<summary>
 ##	Type of the program to be used as an entry point to this domain.
 ##	</summary>
 ## </param>
 #
 interface(`logging_dispatcher_domain',`
 	gen_require(`
 		type audisp_t;
 		role system_r;
 	')
 	domain_type($1)
 	domain_entry_file($1, $2)
 	role system_r types $1;
 	domtrans_pattern(audisp_t, $2, $1)
 	allow $1 audisp_t:process signal;
 	allow audisp_t $2:file getattr;
 	allow $1 audisp_t:unix_stream_socket rw_socket_perms;
 ')
 ########################################
 ## <summary>
 ##	Connect to the audit dispatcher over an unix stream socket.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_stream_connect_dispatcher',`
 	gen_require(`
 		type audisp_t, audisp_var_run_t;
 	')
 	files_search_pids($1)
-	stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+	stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
 ')
 ########################################
@ -530,8 +615,7 @@ interface(`logging_append_all_logs',`
 	')
 	files_search_var($1)
-	allow $1 var_log_t:dir list_dir_perms;
+	append_files_pattern($1, var_log_t, logfile)
 	allow $1 logfile:file { getattr append };
 ')
 ########################################
@ -577,6 +661,25 @@ interface(`logging_exec_all_logs',`
 	can_exec($1,logfile)
 ')
 ########################################
 ## <summary>
 ##	read/write to all log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_rw_all_logs',`
 	gen_require(`
 		attribute logfile;
 	')
 	files_search_var($1)
 	rw_files_pattern($1, logfile, logfile)
 ')
 ########################################
 ## <summary>
 ##	Create, read, write, and delete all log files.
@ -639,6 +742,24 @@ interface(`logging_write_generic_logs',`
 	write_files_pattern($1,var_log_t,var_log_t)
 ')
 ########################################
 ## <summary>
 ##	Dontaudit Write generic log files.
 ## </summary>
 ## <param name="domain">
 ##	<summary>
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 #
 interface(`logging_dontaudit_write_generic_logs',`
 	gen_require(`
 		type var_log_t;
 	')
 	dontaudit $1 var_log_t:file write;
 ')
 ########################################
 ## <summary>
 ##	Read and write generic log files.
@ -690,6 +811,16 @@ interface(`logging_manage_generic_logs',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	User role allowed access.
 ##	</summary>
 ## </param>
 ## <param name="terminal">
 ##	<summary>
 ##	User terminal type.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`logging_admin_audit',`
@ -709,6 +840,8 @@ interface(`logging_admin_audit',`
 	manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
 	manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
 	logging_run_auditctl($1, $2, $3)
 ')
 ########################################
@ -768,9 +901,19 @@ interface(`logging_admin_syslog',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
 ## <param name="role">
 ##	<summary>
 ##	User role allowed access.
 ##	</summary>
 ## </param>
 ## <param name="terminal">
 ##	<summary>
 ##	User terminal type.
 ##	</summary>
 ## </param>
 ## <rolecap/>
 #
 interface(`logging_admin',`
-	logging_admin_audit($1)
+	logging_admin_audit($1, $2, $3)
 	logging_admin_syslog($1)
 ')
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@ -1,5 +1,5 @@
-policy_module(logging, 1.11.1)
+policy_module(logging, 1.11.2)
 ########################################
 #
@ -27,6 +27,17 @@ init_daemon_domain(auditd_t,auditd_exec_t)
 type auditd_var_run_t;
 files_pid_file(auditd_var_run_t)
 type audisp_t;
 type audisp_exec_t;
 init_system_domain(audisp_t, audisp_exec_t)
 type audisp_var_run_t;
 files_pid_file(audisp_var_run_t)
 type audisp_remote_t;
 type audisp_remote_exec_t;
 logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
 type devlog_t;
 files_type(devlog_t)
 mls_trusted_object(devlog_t)
@ -62,7 +73,8 @@ logging_log_file(var_log_t)
 files_mountpoint(var_log_t)
 ifdef(`enable_mls',`
-	init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+	init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
 ')
 ########################################
@ -150,6 +162,8 @@ init_telinit(auditd_t)
 logging_set_audit_parameters(auditd_t)
 logging_send_syslog_msg(auditd_t)
 logging_domtrans_dispatcher(auditd_t)
 logging_signal_dispatcher(auditd_t)
 libs_use_ld_so(auditd_t)
 libs_use_shared_libs(auditd_t)
@ -161,6 +175,8 @@ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ dire
 seutil_dontaudit_read_config(auditd_t)
 sysnet_dns_name_resolve(auditd_t)
 userdom_dontaudit_use_unpriv_user_fds(auditd_t)
 sysadm_dontaudit_search_home_dirs(auditd_t)
@ -171,6 +187,10 @@ ifdef(`distro_ubuntu',`
 	')
 ')
 optional_policy(`
 	mta_send_mail(auditd_t)
 ')
 optional_policy(`
 	seutil_sigchld_newrole(auditd_t)
 ')
@ -179,6 +199,60 @@ optional_policy(`
 	udev_read_db(auditd_t)
 ')
 ########################################
 #
 # audit dispatcher local policy
 #
 allow audisp_t self:capability sys_nice;
 allow audisp_t self:process setsched;
 allow audisp_t self:fifo_file rw_file_perms;
 allow audisp_t self:unix_stream_socket create_stream_socket_perms;
 allow audisp_t self:unix_dgram_socket create_socket_perms;
 allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
 corecmd_search_bin(audisp_t)
 domain_use_interactive_fds(audisp_t)
 files_read_etc_files(audisp_t)
 mls_file_write_all_levels(audisp_t)
 libs_use_ld_so(audisp_t)
 libs_use_shared_libs(audisp_t)
 logging_send_syslog_msg(audisp_t)
 miscfiles_read_localization(audisp_t)
 ########################################
 #
 # Audit remote logger local policy
 #
 allow audisp_remote_t self:tcp_socket create_socket_perms;
 corenet_all_recvfrom_unlabeled(audisp_remote_t)
 corenet_all_recvfrom_netlabel(audisp_remote_t)
 corenet_tcp_sendrecv_all_if(audisp_remote_t)
 corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
 files_read_etc_files(audisp_remote_t)
 libs_use_ld_so(audisp_remote_t)
 libs_use_shared_libs(audisp_remote_t)
 logging_send_syslog_msg(audisp_remote_t)
 miscfiles_read_localization(audisp_remote_t)
 sysnet_dns_name_resolve(audisp_remote_t)
 ########################################
 #
 # klogd local policy
@ -253,7 +327,6 @@ allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_a
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 allow syslogd_t self:process { signal_perms setpgid };
 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@ -290,6 +363,7 @@ files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
 manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
 kernel_read_system_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng
@ -297,20 +371,6 @@ kernel_read_messages(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
 dev_filetrans(syslogd_t,devlog_t,sock_file)
 dev_read_sysfs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
 term_write_console(syslogd_t)
 # Allow syslog to a terminal
 term_write_unallocated_ttys(syslogd_t)
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
 term_write_all_user_ttys(syslogd_t)
 corenet_all_recvfrom_unlabeled(syslogd_t)
 corenet_all_recvfrom_netlabel(syslogd_t)
 corenet_udp_sendrecv_all_if(syslogd_t)
@ -328,22 +388,45 @@ corenet_tcp_connect_rsh_port(syslogd_t)
 # Allow users to define additional syslog ports to connect to
 corenet_tcp_bind_syslogd_port(syslogd_t)
 corenet_tcp_connect_syslogd_port(syslogd_t)
 corenet_tcp_connect_postgresql_port(syslogd_t)
 corenet_tcp_connect_mysqld_port(syslogd_t)
 # syslog-ng can send or receive logs
 corenet_sendrecv_syslogd_client_packets(syslogd_t)
 corenet_sendrecv_syslogd_server_packets(syslogd_t)
 corenet_sendrecv_postgresql_client_packets(syslogd_t)
 corenet_sendrecv_mysqld_client_packets(syslogd_t)
-fs_getattr_all_fs(syslogd_t)
+dev_filetrans(syslogd_t,devlog_t,sock_file)
-
+dev_read_sysfs(syslogd_t)
 init_use_fds(syslogd_t)
 domain_use_interactive_fds(syslogd_t)
 files_read_etc_files(syslogd_t)
 files_read_usr_files(syslogd_t)
 files_read_var_files(syslogd_t)
 files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
 files_dontaudit_search_isid_type_dirs(syslogd_t)
 files_read_kernel_symbol_table(syslogd_t)
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
 term_write_console(syslogd_t)
 # Allow syslog to a terminal
 term_write_unallocated_ttys(syslogd_t)
 # for sending messages to logged in users
 init_read_utmp(syslogd_t)
 init_dontaudit_write_utmp(syslogd_t)
 term_write_all_user_ttys(syslogd_t)
 auth_use_nsswitch(syslogd_t)
 init_use_fds(syslogd_t)
 libs_use_ld_so(syslogd_t)
 libs_use_shared_libs(syslogd_t)
@ -351,8 +434,6 @@ libs_use_shared_libs(syslogd_t)
 # cjp: this doesnt make sense
 logging_send_syslog_msg(syslogd_t)
 sysnet_read_config(syslogd_t)
 miscfiles_read_localization(syslogd_t)
 userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
@ -382,11 +463,7 @@ optional_policy(`
 ')
 optional_policy(`
-	nis_use_ypbind(syslogd_t)
+	postgresql_stream_connect(syslogd_t)
 ')
 optional_policy(`
 	nscd_socket_use(syslogd_t)
 ')
 optional_policy(`