trunk: Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern().

Changelog

@@ -1,3 +1,5 @@
+- Add logging_send_audit_msgs() interface and deprecate
+  send_audit_msgs_pattern().
 - Openct updates patch from Dan Walsh.
 - Merge restorecon into setfiles.
 - Patch to begin separating out hald helper programs from Dan Walsh.

policy/modules/services/aide.te

@@ -1,5 +1,5 @@
 
-policy_module(aide,1.0.1)
+policy_module(aide,1.0.2)
 
 ########################################
 #
@@ -26,8 +26,6 @@ files_type(aide_db_t)
 
 allow aide_t self:capability { dac_override fowner };
 
-send_audit_msgs_pattern(aide_t)
-
 # database actions
 manage_files_pattern(aide_t,aide_db_t,aide_db_t)
 
@@ -40,4 +38,6 @@ files_read_all_files(aide_t)
 libs_use_ld_so(aide_t)
 libs_use_shared_libs(aide_t)
 
+logging_send_audit_msgs(aide_t)
+
 seutil_use_newrole_fds(aide_t)

policy/modules/services/cups.te

@@ -1,5 +1,5 @@
 
-policy_module(cups,1.6.0)
+policy_module(cups,1.6.1)
 
 ########################################
 #
@@ -93,8 +93,6 @@ allow cupsd_t self:appletalk_socket create_socket_perms;
 # generic socket here until appletalk socket is available in kernels
 allow cupsd_t self:socket create_socket_perms;
 
-send_audit_msgs_pattern(cupsd_t)
-
 allow cupsd_t cupsd_etc_t:{ dir file } setattr;
 read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
 read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
@@ -213,6 +211,7 @@ libs_use_shared_libs(cupsd_t)
 # Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
 libs_read_lib_files(cupsd_t)
 
+logging_send_audit_msgs(cupsd_t)
 logging_send_syslog_msg(cupsd_t)
 
 miscfiles_read_localization(cupsd_t)

policy/modules/services/dbus.if

@@ -78,8 +78,6 @@ template(`dbus_per_role_template',`
 	allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
 	allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
 
-	send_audit_msgs_pattern($1_dbusd_t)
-
 	# For connecting to the bus
 	allow $2 $1_dbusd_t:unix_stream_socket connectto;
 	type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
@@ -140,6 +138,7 @@ template(`dbus_per_role_template',`
 	libs_use_ld_so($1_dbusd_t)
 	libs_use_shared_libs($1_dbusd_t)
 
+	logging_send_audit_msgs($1_dbusd_t)
 	logging_send_syslog_msg($1_dbusd_t)
 
 	miscfiles_read_localization($1_dbusd_t)

policy/modules/services/dbus.te

@@ -1,5 +1,5 @@
 
-policy_module(dbus,1.5.0)
+policy_module(dbus,1.5.1)
 
 gen_require(`
 	class dbus { send_msg acquire_svc };
@@ -40,8 +40,6 @@ allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
 # Receive notifications of policy reloads and enforcing status changes.
 allow system_dbusd_t self:netlink_selinux_socket { create bind read };
 
-send_audit_msgs_pattern(system_dbusd_t)
-
 allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
 read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
 read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
@@ -92,6 +90,7 @@ init_use_script_ptys(system_dbusd_t)
 libs_use_ld_so(system_dbusd_t)
 libs_use_shared_libs(system_dbusd_t)
 
+logging_send_audit_msgs(system_dbusd_t)
 logging_send_syslog_msg(system_dbusd_t)
 
 miscfiles_read_localization(system_dbusd_t)

policy/modules/services/hal.te

@@ -1,5 +1,5 @@
 
-policy_module(hal,1.6.1)
+policy_module(hal,1.6.2)
 
 ########################################
 #
@@ -61,8 +61,6 @@ allow hald_t self:udp_socket create_socket_perms;
 # For backwards compatibility with older kernels
 allow hald_t self:netlink_socket create_socket_perms;
 
-send_audit_msgs_pattern(hald_t)
-
 manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
 
 # log files for hald
@@ -170,6 +168,7 @@ libs_use_shared_libs(hald_t)
 libs_exec_ld_so(hald_t)
 libs_exec_lib_files(hald_t)
 
+logging_send_audit_msgs(hald_t)
 logging_send_syslog_msg(hald_t)
 logging_search_logs(hald_t)
 

policy/modules/services/pegasus.te

@@ -1,5 +1,5 @@
 
-policy_module(pegasus,1.3.0)
+policy_module(pegasus,1.3.1)
 
 ########################################
 #
@@ -38,8 +38,6 @@ allow pegasus_t self:unix_dgram_socket create_socket_perms;
 allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
 allow pegasus_t self:tcp_socket create_stream_socket_perms;
 
-send_audit_msgs_pattern(pegasus_t)
-
 allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
 allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
 allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
@@ -113,6 +111,8 @@ init_stream_connect_script(pegasus_t)
 libs_use_ld_so(pegasus_t)
 libs_use_shared_libs(pegasus_t)
 
+logging_send_audit_msgs(pegasus_t)
+
 miscfiles_read_localization(pegasus_t)
 
 sysnet_read_config(pegasus_t)

policy/modules/system/authlogin.if

@@ -30,8 +30,6 @@ template(`authlogin_common_auth_domain_template',`
 	allow $1_chkpwd_t self:capability { audit_control setuid };
 	allow $1_chkpwd_t self:process getattr;
 
-	send_audit_msgs_pattern($1_chkpwd_t)
-
 	files_list_etc($1_chkpwd_t)
 	allow $1_chkpwd_t shadow_t:file { getattr read };
 
@@ -52,6 +50,7 @@ template(`authlogin_common_auth_domain_template',`
 	libs_use_ld_so($1_chkpwd_t)
 	libs_use_shared_libs($1_chkpwd_t)
 
+	logging_send_audit_msgs($1_chkpwd_t)
 	logging_send_syslog_msg($1_chkpwd_t)
 
 	miscfiles_read_localization($1_chkpwd_t)
@@ -322,7 +321,6 @@ interface(`auth_domtrans_chk_passwd',`
 
 	# cjp: is this really needed?
 	allow $1 self:capability audit_control;
-	send_audit_msgs_pattern($1)
 
 	corecmd_search_bin($1)
 	domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
@@ -332,6 +330,8 @@ interface(`auth_domtrans_chk_passwd',`
 	dev_read_rand($1)
 	dev_read_urand($1)
 
+	logging_send_audit_msgs($1)
+
 	miscfiles_read_certs($1)
 
 	sysnet_dns_name_resolve($1)

policy/modules/system/authlogin.te

@@ -1,5 +1,5 @@
 
-policy_module(authlogin,1.6.1)
+policy_module(authlogin,1.6.2)
 
 ########################################
 #

policy/modules/system/clock.te

@@ -1,5 +1,5 @@
 
-policy_module(clock,1.3.0)
+policy_module(clock,1.3.1)
 
 ########################################
 #
@@ -26,8 +26,6 @@ dontaudit hwclock_t self:capability sys_tty_config;
 allow hwclock_t self:process signal_perms;
 allow hwclock_t self:fifo_file { getattr read write };
 
-send_audit_msgs_pattern(hwclock_t)
-
 # Allow hwclock to store & retrieve correction factors.
 allow hwclock_t adjtime_t:file { rw_file_perms setattr };
 
@@ -60,6 +58,7 @@ files_dontaudit_search_isid_type_dirs(hwclock_t)
 libs_use_ld_so(hwclock_t)
 libs_use_shared_libs(hwclock_t)
 
+logging_send_audit_msgs(hwclock_t)
 logging_send_syslog_msg(hwclock_t)
 
 miscfiles_read_localization(hwclock_t)

policy/modules/system/logging.if

@@ -22,6 +22,21 @@ interface(`logging_log_file',`
 	typeattribute $1 logfile;
 ')
 
+#######################################
+## <summary>
+##	Send audit messages.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_send_audit_msgs',`
+	allow $1 self:capability audit_write;
+	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+')
+
 ########################################
 ## <summary>
 ##	Read the audit log.

policy/modules/system/logging.te

@@ -1,5 +1,5 @@
 
-policy_module(logging,1.6.0)
+policy_module(logging,1.6.1)
 
 ########################################
 #

policy/support/misc_patterns.spt

@@ -42,6 +42,7 @@ define(`domtrans_pattern',`
 # Other process permissions
 #
 define(`send_audit_msgs_pattern',`
+	refpolicywarn(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.')
 	allow $1 self:capability audit_write;
 	allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
 ')