- Allow audit dispatcher to kill his children
This commit is contained in:
parent
d7927ab643
commit
c37b427de8
@ -30027,18 +30027,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
|
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0)
|
||||||
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.5/policy/modules/system/logging.if
|
diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.5/policy/modules/system/logging.if
|
||||||
--- nsaserefpolicy/policy/modules/system/logging.if 2008-08-25 09:12:31.000000000 -0400
|
--- nsaserefpolicy/policy/modules/system/logging.if 2008-08-25 09:12:31.000000000 -0400
|
||||||
+++ serefpolicy-3.5.5/policy/modules/system/logging.if 2008-08-29 14:20:21.000000000 -0400
|
+++ serefpolicy-3.5.5/policy/modules/system/logging.if 2008-08-29 16:22:26.000000000 -0400
|
||||||
@@ -281,7 +281,9 @@
|
@@ -281,7 +281,7 @@
|
||||||
role system_r types $1;
|
role system_r types $1;
|
||||||
|
|
||||||
domtrans_pattern(audisp_t, $2, $1)
|
domtrans_pattern(audisp_t, $2, $1)
|
||||||
+# Not sure if this is necessary?
|
- allow $1 audisp_t:process signal;
|
||||||
allow $1 audisp_t:process signal;
|
+ allow audisp_t $1:process { sigkill sigstop signull signal }
|
||||||
+ allow audisp_t $1:process signal;
|
|
||||||
|
|
||||||
allow audisp_t $2:file getattr;
|
allow audisp_t $2:file getattr;
|
||||||
allow $1 audisp_t:unix_stream_socket rw_socket_perms;
|
allow $1 audisp_t:unix_stream_socket rw_socket_perms;
|
||||||
@@ -699,6 +701,8 @@
|
@@ -699,6 +699,8 @@
|
||||||
files_search_var($1)
|
files_search_var($1)
|
||||||
manage_files_pattern($1,logfile,logfile)
|
manage_files_pattern($1,logfile,logfile)
|
||||||
read_lnk_files_pattern($1,logfile,logfile)
|
read_lnk_files_pattern($1,logfile,logfile)
|
||||||
@ -30047,7 +30046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -803,6 +807,42 @@
|
@@ -803,6 +805,42 @@
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
## <summary>
|
## <summary>
|
||||||
@ -30090,7 +30089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
## All of the rules required to administrate
|
## All of the rules required to administrate
|
||||||
## the audit environment
|
## the audit environment
|
||||||
## </summary>
|
## </summary>
|
||||||
@@ -827,6 +867,7 @@
|
@@ -827,6 +865,7 @@
|
||||||
gen_require(`
|
gen_require(`
|
||||||
type auditd_t, auditd_etc_t, auditd_log_t;
|
type auditd_t, auditd_etc_t, auditd_log_t;
|
||||||
type auditd_var_run_t;
|
type auditd_var_run_t;
|
||||||
@ -30098,7 +30097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 auditd_t:process { ptrace signal_perms };
|
allow $1 auditd_t:process { ptrace signal_perms };
|
||||||
@@ -842,6 +883,13 @@
|
@@ -842,6 +881,13 @@
|
||||||
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
|
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
|
||||||
|
|
||||||
logging_run_auditctl($1, $2, $3)
|
logging_run_auditctl($1, $2, $3)
|
||||||
@ -30112,7 +30111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -862,6 +910,7 @@
|
@@ -862,6 +908,7 @@
|
||||||
type syslogd_tmp_t, syslogd_var_lib_t;
|
type syslogd_tmp_t, syslogd_var_lib_t;
|
||||||
type syslogd_var_run_t, klogd_var_run_t;
|
type syslogd_var_run_t, klogd_var_run_t;
|
||||||
type klogd_tmp_t, var_log_t;
|
type klogd_tmp_t, var_log_t;
|
||||||
@ -30120,7 +30119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
allow $1 syslogd_t:process { ptrace signal_perms };
|
allow $1 syslogd_t:process { ptrace signal_perms };
|
||||||
@@ -889,6 +938,12 @@
|
@@ -889,6 +936,12 @@
|
||||||
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t)
|
||||||
|
|
||||||
logging_manage_all_logs($1)
|
logging_manage_all_logs($1)
|
||||||
@ -30133,7 +30132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol
|
|||||||
')
|
')
|
||||||
|
|
||||||
########################################
|
########################################
|
||||||
@@ -915,5 +970,5 @@
|
@@ -915,5 +968,5 @@
|
||||||
#
|
#
|
||||||
interface(`logging_admin',`
|
interface(`logging_admin',`
|
||||||
logging_admin_audit($1, $2, $3)
|
logging_admin_audit($1, $2, $3)
|
||||||
|
Loading…
Reference in New Issue
Block a user