trunk: Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern().

This commit is contained in:
Chris PeBenito 2007-06-12 18:46:14 +00:00
parent 262def165a
commit d5b81a81ff
13 changed files with 38 additions and 25 deletions

View File

@ -1,3 +1,5 @@
- Add logging_send_audit_msgs() interface and deprecate
send_audit_msgs_pattern().
- Openct updates patch from Dan Walsh.
- Merge restorecon into setfiles.
- Patch to begin separating out hald helper programs from Dan Walsh.

View File

@ -1,5 +1,5 @@
policy_module(aide,1.0.1)
policy_module(aide,1.0.2)
########################################
#
@ -26,8 +26,6 @@ files_type(aide_db_t)
allow aide_t self:capability { dac_override fowner };
send_audit_msgs_pattern(aide_t)
# database actions
manage_files_pattern(aide_t,aide_db_t,aide_db_t)
@ -40,4 +38,6 @@ files_read_all_files(aide_t)
libs_use_ld_so(aide_t)
libs_use_shared_libs(aide_t)
logging_send_audit_msgs(aide_t)
seutil_use_newrole_fds(aide_t)

View File

@ -1,5 +1,5 @@
policy_module(cups,1.6.0)
policy_module(cups,1.6.1)
########################################
#
@ -93,8 +93,6 @@ allow cupsd_t self:appletalk_socket create_socket_perms;
# generic socket here until appletalk socket is available in kernels
allow cupsd_t self:socket create_socket_perms;
send_audit_msgs_pattern(cupsd_t)
allow cupsd_t cupsd_etc_t:{ dir file } setattr;
read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
@ -213,6 +211,7 @@ libs_use_shared_libs(cupsd_t)
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
libs_read_lib_files(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
miscfiles_read_localization(cupsd_t)

View File

@ -78,8 +78,6 @@ template(`dbus_per_role_template',`
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
send_audit_msgs_pattern($1_dbusd_t)
# For connecting to the bus
allow $2 $1_dbusd_t:unix_stream_socket connectto;
type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
@ -140,6 +138,7 @@ template(`dbus_per_role_template',`
libs_use_ld_so($1_dbusd_t)
libs_use_shared_libs($1_dbusd_t)
logging_send_audit_msgs($1_dbusd_t)
logging_send_syslog_msg($1_dbusd_t)
miscfiles_read_localization($1_dbusd_t)

View File

@ -1,5 +1,5 @@
policy_module(dbus,1.5.0)
policy_module(dbus,1.5.1)
gen_require(`
class dbus { send_msg acquire_svc };
@ -40,8 +40,6 @@ allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
# Receive notifications of policy reloads and enforcing status changes.
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
send_audit_msgs_pattern(system_dbusd_t)
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
@ -92,6 +90,7 @@ init_use_script_ptys(system_dbusd_t)
libs_use_ld_so(system_dbusd_t)
libs_use_shared_libs(system_dbusd_t)
logging_send_audit_msgs(system_dbusd_t)
logging_send_syslog_msg(system_dbusd_t)
miscfiles_read_localization(system_dbusd_t)

View File

@ -1,5 +1,5 @@
policy_module(hal,1.6.1)
policy_module(hal,1.6.2)
########################################
#
@ -61,8 +61,6 @@ allow hald_t self:udp_socket create_socket_perms;
# For backwards compatibility with older kernels
allow hald_t self:netlink_socket create_socket_perms;
send_audit_msgs_pattern(hald_t)
manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
# log files for hald
@ -170,6 +168,7 @@ libs_use_shared_libs(hald_t)
libs_exec_ld_so(hald_t)
libs_exec_lib_files(hald_t)
logging_send_audit_msgs(hald_t)
logging_send_syslog_msg(hald_t)
logging_search_logs(hald_t)

View File

@ -1,5 +1,5 @@
policy_module(pegasus,1.3.0)
policy_module(pegasus,1.3.1)
########################################
#
@ -38,8 +38,6 @@ allow pegasus_t self:unix_dgram_socket create_socket_perms;
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
allow pegasus_t self:tcp_socket create_stream_socket_perms;
send_audit_msgs_pattern(pegasus_t)
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
@ -113,6 +111,8 @@ init_stream_connect_script(pegasus_t)
libs_use_ld_so(pegasus_t)
libs_use_shared_libs(pegasus_t)
logging_send_audit_msgs(pegasus_t)
miscfiles_read_localization(pegasus_t)
sysnet_read_config(pegasus_t)

View File

@ -30,8 +30,6 @@ template(`authlogin_common_auth_domain_template',`
allow $1_chkpwd_t self:capability { audit_control setuid };
allow $1_chkpwd_t self:process getattr;
send_audit_msgs_pattern($1_chkpwd_t)
files_list_etc($1_chkpwd_t)
allow $1_chkpwd_t shadow_t:file { getattr read };
@ -52,6 +50,7 @@ template(`authlogin_common_auth_domain_template',`
libs_use_ld_so($1_chkpwd_t)
libs_use_shared_libs($1_chkpwd_t)
logging_send_audit_msgs($1_chkpwd_t)
logging_send_syslog_msg($1_chkpwd_t)
miscfiles_read_localization($1_chkpwd_t)
@ -322,7 +321,6 @@ interface(`auth_domtrans_chk_passwd',`
# cjp: is this really needed?
allow $1 self:capability audit_control;
send_audit_msgs_pattern($1)
corecmd_search_bin($1)
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
@ -332,6 +330,8 @@ interface(`auth_domtrans_chk_passwd',`
dev_read_rand($1)
dev_read_urand($1)
logging_send_audit_msgs($1)
miscfiles_read_certs($1)
sysnet_dns_name_resolve($1)

View File

@ -1,5 +1,5 @@
policy_module(authlogin,1.6.1)
policy_module(authlogin,1.6.2)
########################################
#

View File

@ -1,5 +1,5 @@
policy_module(clock,1.3.0)
policy_module(clock,1.3.1)
########################################
#
@ -26,8 +26,6 @@ dontaudit hwclock_t self:capability sys_tty_config;
allow hwclock_t self:process signal_perms;
allow hwclock_t self:fifo_file { getattr read write };
send_audit_msgs_pattern(hwclock_t)
# Allow hwclock to store & retrieve correction factors.
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
@ -60,6 +58,7 @@ files_dontaudit_search_isid_type_dirs(hwclock_t)
libs_use_ld_so(hwclock_t)
libs_use_shared_libs(hwclock_t)
logging_send_audit_msgs(hwclock_t)
logging_send_syslog_msg(hwclock_t)
miscfiles_read_localization(hwclock_t)

View File

@ -22,6 +22,21 @@ interface(`logging_log_file',`
typeattribute $1 logfile;
')
#######################################
## <summary>
## Send audit messages.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_send_audit_msgs',`
allow $1 self:capability audit_write;
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')
########################################
## <summary>
## Read the audit log.

View File

@ -1,5 +1,5 @@
policy_module(logging,1.6.0)
policy_module(logging,1.6.1)
########################################
#

View File

@ -42,6 +42,7 @@ define(`domtrans_pattern',`
# Other process permissions
#
define(`send_audit_msgs_pattern',`
refpolicywarn(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.')
allow $1 self:capability audit_write;
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
')