trunk: Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern().
This commit is contained in:
parent
262def165a
commit
d5b81a81ff
@ -1,3 +1,5 @@
|
||||
- Add logging_send_audit_msgs() interface and deprecate
|
||||
send_audit_msgs_pattern().
|
||||
- Openct updates patch from Dan Walsh.
|
||||
- Merge restorecon into setfiles.
|
||||
- Patch to begin separating out hald helper programs from Dan Walsh.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(aide,1.0.1)
|
||||
policy_module(aide,1.0.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,8 +26,6 @@ files_type(aide_db_t)
|
||||
|
||||
allow aide_t self:capability { dac_override fowner };
|
||||
|
||||
send_audit_msgs_pattern(aide_t)
|
||||
|
||||
# database actions
|
||||
manage_files_pattern(aide_t,aide_db_t,aide_db_t)
|
||||
|
||||
@ -40,4 +38,6 @@ files_read_all_files(aide_t)
|
||||
libs_use_ld_so(aide_t)
|
||||
libs_use_shared_libs(aide_t)
|
||||
|
||||
logging_send_audit_msgs(aide_t)
|
||||
|
||||
seutil_use_newrole_fds(aide_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(cups,1.6.0)
|
||||
policy_module(cups,1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -93,8 +93,6 @@ allow cupsd_t self:appletalk_socket create_socket_perms;
|
||||
# generic socket here until appletalk socket is available in kernels
|
||||
allow cupsd_t self:socket create_socket_perms;
|
||||
|
||||
send_audit_msgs_pattern(cupsd_t)
|
||||
|
||||
allow cupsd_t cupsd_etc_t:{ dir file } setattr;
|
||||
read_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
|
||||
read_lnk_files_pattern(cupsd_t,cupsd_etc_t,cupsd_etc_t)
|
||||
@ -213,6 +211,7 @@ libs_use_shared_libs(cupsd_t)
|
||||
# Read /usr/lib/gconv/gconv-modules.* and /usr/lib/python2.2/.*
|
||||
libs_read_lib_files(cupsd_t)
|
||||
|
||||
logging_send_audit_msgs(cupsd_t)
|
||||
logging_send_syslog_msg(cupsd_t)
|
||||
|
||||
miscfiles_read_localization(cupsd_t)
|
||||
|
@ -78,8 +78,6 @@ template(`dbus_per_role_template',`
|
||||
allow $1_dbusd_t self:tcp_socket create_stream_socket_perms;
|
||||
allow $1_dbusd_t self:netlink_selinux_socket create_socket_perms;
|
||||
|
||||
send_audit_msgs_pattern($1_dbusd_t)
|
||||
|
||||
# For connecting to the bus
|
||||
allow $2 $1_dbusd_t:unix_stream_socket connectto;
|
||||
type_change $2 $1_dbusd_t:dbus $1_dbusd_$1_t;
|
||||
@ -140,6 +138,7 @@ template(`dbus_per_role_template',`
|
||||
libs_use_ld_so($1_dbusd_t)
|
||||
libs_use_shared_libs($1_dbusd_t)
|
||||
|
||||
logging_send_audit_msgs($1_dbusd_t)
|
||||
logging_send_syslog_msg($1_dbusd_t)
|
||||
|
||||
miscfiles_read_localization($1_dbusd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(dbus,1.5.0)
|
||||
policy_module(dbus,1.5.1)
|
||||
|
||||
gen_require(`
|
||||
class dbus { send_msg acquire_svc };
|
||||
@ -40,8 +40,6 @@ allow system_dbusd_t self:unix_dgram_socket create_socket_perms;
|
||||
# Receive notifications of policy reloads and enforcing status changes.
|
||||
allow system_dbusd_t self:netlink_selinux_socket { create bind read };
|
||||
|
||||
send_audit_msgs_pattern(system_dbusd_t)
|
||||
|
||||
allow system_dbusd_t dbusd_etc_t:dir list_dir_perms;
|
||||
read_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
||||
read_lnk_files_pattern(system_dbusd_t,dbusd_etc_t,dbusd_etc_t)
|
||||
@ -92,6 +90,7 @@ init_use_script_ptys(system_dbusd_t)
|
||||
libs_use_ld_so(system_dbusd_t)
|
||||
libs_use_shared_libs(system_dbusd_t)
|
||||
|
||||
logging_send_audit_msgs(system_dbusd_t)
|
||||
logging_send_syslog_msg(system_dbusd_t)
|
||||
|
||||
miscfiles_read_localization(system_dbusd_t)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(hal,1.6.1)
|
||||
policy_module(hal,1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -61,8 +61,6 @@ allow hald_t self:udp_socket create_socket_perms;
|
||||
# For backwards compatibility with older kernels
|
||||
allow hald_t self:netlink_socket create_socket_perms;
|
||||
|
||||
send_audit_msgs_pattern(hald_t)
|
||||
|
||||
manage_files_pattern(hald_t,hald_cache_t,hald_cache_t)
|
||||
|
||||
# log files for hald
|
||||
@ -170,6 +168,7 @@ libs_use_shared_libs(hald_t)
|
||||
libs_exec_ld_so(hald_t)
|
||||
libs_exec_lib_files(hald_t)
|
||||
|
||||
logging_send_audit_msgs(hald_t)
|
||||
logging_send_syslog_msg(hald_t)
|
||||
logging_search_logs(hald_t)
|
||||
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(pegasus,1.3.0)
|
||||
policy_module(pegasus,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -38,8 +38,6 @@ allow pegasus_t self:unix_dgram_socket create_socket_perms;
|
||||
allow pegasus_t self:unix_stream_socket create_stream_socket_perms;
|
||||
allow pegasus_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
send_audit_msgs_pattern(pegasus_t)
|
||||
|
||||
allow pegasus_t pegasus_conf_t:dir rw_dir_perms;
|
||||
allow pegasus_t pegasus_conf_t:file { read_file_perms link unlink };
|
||||
allow pegasus_t pegasus_conf_t:lnk_file read_lnk_file_perms;
|
||||
@ -113,6 +111,8 @@ init_stream_connect_script(pegasus_t)
|
||||
libs_use_ld_so(pegasus_t)
|
||||
libs_use_shared_libs(pegasus_t)
|
||||
|
||||
logging_send_audit_msgs(pegasus_t)
|
||||
|
||||
miscfiles_read_localization(pegasus_t)
|
||||
|
||||
sysnet_read_config(pegasus_t)
|
||||
|
@ -30,8 +30,6 @@ template(`authlogin_common_auth_domain_template',`
|
||||
allow $1_chkpwd_t self:capability { audit_control setuid };
|
||||
allow $1_chkpwd_t self:process getattr;
|
||||
|
||||
send_audit_msgs_pattern($1_chkpwd_t)
|
||||
|
||||
files_list_etc($1_chkpwd_t)
|
||||
allow $1_chkpwd_t shadow_t:file { getattr read };
|
||||
|
||||
@ -52,6 +50,7 @@ template(`authlogin_common_auth_domain_template',`
|
||||
libs_use_ld_so($1_chkpwd_t)
|
||||
libs_use_shared_libs($1_chkpwd_t)
|
||||
|
||||
logging_send_audit_msgs($1_chkpwd_t)
|
||||
logging_send_syslog_msg($1_chkpwd_t)
|
||||
|
||||
miscfiles_read_localization($1_chkpwd_t)
|
||||
@ -322,7 +321,6 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
|
||||
# cjp: is this really needed?
|
||||
allow $1 self:capability audit_control;
|
||||
send_audit_msgs_pattern($1)
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,chkpwd_exec_t,system_chkpwd_t)
|
||||
@ -332,6 +330,8 @@ interface(`auth_domtrans_chk_passwd',`
|
||||
dev_read_rand($1)
|
||||
dev_read_urand($1)
|
||||
|
||||
logging_send_audit_msgs($1)
|
||||
|
||||
miscfiles_read_certs($1)
|
||||
|
||||
sysnet_dns_name_resolve($1)
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(authlogin,1.6.1)
|
||||
policy_module(authlogin,1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(clock,1.3.0)
|
||||
policy_module(clock,1.3.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
@ -26,8 +26,6 @@ dontaudit hwclock_t self:capability sys_tty_config;
|
||||
allow hwclock_t self:process signal_perms;
|
||||
allow hwclock_t self:fifo_file { getattr read write };
|
||||
|
||||
send_audit_msgs_pattern(hwclock_t)
|
||||
|
||||
# Allow hwclock to store & retrieve correction factors.
|
||||
allow hwclock_t adjtime_t:file { rw_file_perms setattr };
|
||||
|
||||
@ -60,6 +58,7 @@ files_dontaudit_search_isid_type_dirs(hwclock_t)
|
||||
libs_use_ld_so(hwclock_t)
|
||||
libs_use_shared_libs(hwclock_t)
|
||||
|
||||
logging_send_audit_msgs(hwclock_t)
|
||||
logging_send_syslog_msg(hwclock_t)
|
||||
|
||||
miscfiles_read_localization(hwclock_t)
|
||||
|
@ -22,6 +22,21 @@ interface(`logging_log_file',`
|
||||
typeattribute $1 logfile;
|
||||
')
|
||||
|
||||
#######################################
|
||||
## <summary>
|
||||
## Send audit messages.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_send_audit_msgs',`
|
||||
allow $1 self:capability audit_write;
|
||||
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Read the audit log.
|
||||
|
@ -1,5 +1,5 @@
|
||||
|
||||
policy_module(logging,1.6.0)
|
||||
policy_module(logging,1.6.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -42,6 +42,7 @@ define(`domtrans_pattern',`
|
||||
# Other process permissions
|
||||
#
|
||||
define(`send_audit_msgs_pattern',`
|
||||
refpolicywarn(`$0($*) has been deprecated, please use logging_send_audit_msgs($1) instead.')
|
||||
allow $1 self:capability audit_write;
|
||||
allow $1 self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
|
||||
')
|
||||
|
Loading…
Reference in New Issue
Block a user