Changeset 2788
- Timestamp:
- 08/22/08 10:17:01 (3 months ago)
- Files:
-
- trunk/policy/modules/services/setroubleshoot.te (modified) (2 diffs)
- trunk/policy/modules/system/logging.fc (modified) (5 diffs)
- trunk/policy/modules/system/logging.if (modified) (7 diffs)
- trunk/policy/modules/system/logging.te (modified) (13 diffs)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
trunk/policy/modules/services/setroubleshoot.te
r2763 r2788 1 1 2 policy_module(setroubleshoot, 1.7. 0)2 policy_module(setroubleshoot, 1.7.1) 3 3 4 4 ######################################## … … 99 99 100 100 logging_send_syslog_msg(setroubleshootd_t) 101 logging_stream_connect_ auditd(setroubleshootd_t)101 logging_stream_connect_dispatcher(setroubleshootd_t) 102 102 103 103 seutil_read_config(setroubleshootd_t) trunk/policy/modules/system/logging.fc
r2644 r2788 5 5 /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) 6 6 7 /sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) 8 /sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) 7 9 /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) 8 10 /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) … … 21 23 /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) 22 24 25 /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) 23 26 /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) 24 27 … … 29 32 /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) 30 33 /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) 34 /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) 31 35 32 36 /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) … … 38 42 /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) 39 43 /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) 40 /var/log/syslog-ng(/.*)? --gen_context(system_u:object_r:syslogd_var_run_t,s0)44 /var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) 41 45 42 46 ifndef(`distro_gentoo',` … … 49 53 50 54 /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) 51 /var/run/audispd_events -s gen_context(system_u:object_r:audi td_var_run_t,s0)55 /var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) 52 56 /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) 53 57 /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) trunk/policy/modules/system/logging.if
r2683 r2788 214 214 # 215 215 interface(`logging_stream_connect_auditd',` 216 gen_require(` 217 type auditd_t, auditd_var_run_t; 216 refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.') 217 logging_stream_connect_dispatcher($1) 218 ') 219 220 ######################################## 221 ## <summary> 222 ## Execute a domain transition to run the audit dispatcher. 223 ## </summary> 224 ## <param name="domain"> 225 ## <summary> 226 ## Domain allowed to transition. 227 ## </summary> 228 ## </param> 229 # 230 interface(`logging_domtrans_dispatcher',` 231 gen_require(` 232 type audisp_t, audisp_exec_t; 233 ') 234 235 domtrans_pattern($1, audisp_exec_t, audisp_t) 236 ') 237 238 ######################################## 239 ## <summary> 240 ## Signal the audit dispatcher. 241 ## </summary> 242 ## <param name="domain"> 243 ## <summary> 244 ## Domain allowed to transition. 245 ## </summary> 246 ## </param> 247 # 248 interface(`logging_signal_dispatcher',` 249 gen_require(` 250 type audisp_t; 251 ') 252 253 allow $1 audisp_t:process signal; 254 ') 255 256 ######################################## 257 ## <summary> 258 ## Create a domain for processes 259 ## which can be started by the system audit dispatcher 260 ## </summary> 261 ## <param name="domain"> 262 ## <summary> 263 ## Type to be used as a domain. 264 ## </summary> 265 ## </param> 266 ## <param name="entry_point"> 267 ## <summary> 268 ## Type of the program to be used as an entry point to this domain. 269 ## </summary> 270 ## </param> 271 # 272 interface(`logging_dispatcher_domain',` 273 gen_require(` 274 type audisp_t; 275 role system_r; 276 ') 277 278 domain_type($1) 279 domain_entry_file($1, $2) 280 281 role system_r types $1; 282 283 domtrans_pattern(audisp_t, $2, $1) 284 allow $1 audisp_t:process signal; 285 286 allow audisp_t $2:file getattr; 287 allow $1 audisp_t:unix_stream_socket rw_socket_perms; 288 ') 289 290 ######################################## 291 ## <summary> 292 ## Connect to the audit dispatcher over an unix stream socket. 293 ## </summary> 294 ## <param name="domain"> 295 ## <summary> 296 ## Domain allowed access. 297 ## </summary> 298 ## </param> 299 # 300 interface(`logging_stream_connect_dispatcher',` 301 gen_require(` 302 type audisp_t, audisp_var_run_t; 218 303 ') 219 304 220 305 files_search_pids($1) 221 stream_connect_pattern($1, auditd_var_run_t,auditd_var_run_t,auditd_t)306 stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) 222 307 ') 223 308 … … 531 616 532 617 files_search_var($1) 533 allow $1 var_log_t:dir list_dir_perms; 534 allow $1 logfile:file { getattr append }; 618 append_files_pattern($1, var_log_t, logfile) 535 619 ') 536 620 … … 580 664 ######################################## 581 665 ## <summary> 666 ## read/write to all log files. 667 ## </summary> 668 ## <param name="domain"> 669 ## <summary> 670 ## Domain allowed access. 671 ## </summary> 672 ## </param> 673 # 674 interface(`logging_rw_all_logs',` 675 gen_require(` 676 attribute logfile; 677 ') 678 679 files_search_var($1) 680 rw_files_pattern($1, logfile, logfile) 681 ') 682 683 ######################################## 684 ## <summary> 582 685 ## Create, read, write, and delete all log files. 583 686 ## </summary> … … 642 745 ######################################## 643 746 ## <summary> 747 ## Dontaudit Write generic log files. 748 ## </summary> 749 ## <param name="domain"> 750 ## <summary> 751 ## Domain allowed access. 752 ## </summary> 753 ## </param> 754 # 755 interface(`logging_dontaudit_write_generic_logs',` 756 gen_require(` 757 type var_log_t; 758 ') 759 760 dontaudit $1 var_log_t:file write; 761 ') 762 763 ######################################## 764 ## <summary> 644 765 ## Read and write generic log files. 645 766 ## </summary> … … 691 812 ## </summary> 692 813 ## </param> 814 ## <param name="role"> 815 ## <summary> 816 ## User role allowed access. 817 ## </summary> 818 ## </param> 819 ## <param name="terminal"> 820 ## <summary> 821 ## User terminal type. 822 ## </summary> 823 ## </param> 693 824 ## <rolecap/> 694 825 # … … 710 841 manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) 711 842 manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) 843 844 logging_run_auditctl($1, $2, $3) 712 845 ') 713 846 … … 769 902 ## </summary> 770 903 ## </param> 904 ## <param name="role"> 905 ## <summary> 906 ## User role allowed access. 907 ## </summary> 908 ## </param> 909 ## <param name="terminal"> 910 ## <summary> 911 ## User terminal type. 912 ## </summary> 913 ## </param> 771 914 ## <rolecap/> 772 915 # 773 916 interface(`logging_admin',` 774 logging_admin_audit($1 )917 logging_admin_audit($1, $2, $3) 775 918 logging_admin_syslog($1) 776 919 ') trunk/policy/modules/system/logging.te
r2770 r2788 1 1 2 policy_module(logging, 1.11. 1)2 policy_module(logging, 1.11.2) 3 3 4 4 ######################################## … … 28 28 files_pid_file(auditd_var_run_t) 29 29 30 type audisp_t; 31 type audisp_exec_t; 32 init_system_domain(audisp_t, audisp_exec_t) 33 34 type audisp_var_run_t; 35 files_pid_file(audisp_var_run_t) 36 37 type audisp_remote_t; 38 type audisp_remote_exec_t; 39 logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t) 40 30 41 type devlog_t; 31 42 files_type(devlog_t) … … 63 74 64 75 ifdef(`enable_mls',` 65 init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) 76 init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) 77 init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) 66 78 ') 67 79 … … 151 163 logging_set_audit_parameters(auditd_t) 152 164 logging_send_syslog_msg(auditd_t) 165 logging_domtrans_dispatcher(auditd_t) 166 logging_signal_dispatcher(auditd_t) 153 167 154 168 libs_use_ld_so(auditd_t) … … 161 175 162 176 seutil_dontaudit_read_config(auditd_t) 177 178 sysnet_dns_name_resolve(auditd_t) 163 179 164 180 userdom_dontaudit_use_unpriv_user_fds(auditd_t) … … 173 189 174 190 optional_policy(` 191 mta_send_mail(auditd_t) 192 ') 193 194 optional_policy(` 175 195 seutil_sigchld_newrole(auditd_t) 176 196 ') … … 179 199 udev_read_db(auditd_t) 180 200 ') 201 202 ######################################## 203 # 204 # audit dispatcher local policy 205 # 206 207 allow audisp_t self:capability sys_nice; 208 allow audisp_t self:process setsched; 209 allow audisp_t self:fifo_file rw_file_perms; 210 allow audisp_t self:unix_stream_socket create_stream_socket_perms; 211 allow audisp_t self:unix_dgram_socket create_socket_perms; 212 213 allow audisp_t auditd_t:unix_stream_socket rw_file_perms; 214 215 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) 216 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) 217 218 corecmd_search_bin(audisp_t) 219 220 domain_use_interactive_fds(audisp_t) 221 222 files_read_etc_files(audisp_t) 223 224 mls_file_write_all_levels(audisp_t) 225 226 libs_use_ld_so(audisp_t) 227 libs_use_shared_libs(audisp_t) 228 229 logging_send_syslog_msg(audisp_t) 230 231 miscfiles_read_localization(audisp_t) 232 233 ######################################## 234 # 235 # Audit remote logger local policy 236 # 237 238 allow audisp_remote_t self:tcp_socket create_socket_perms; 239 240 corenet_all_recvfrom_unlabeled(audisp_remote_t) 241 corenet_all_recvfrom_netlabel(audisp_remote_t) 242 corenet_tcp_sendrecv_all_if(audisp_remote_t) 243 corenet_tcp_sendrecv_all_nodes(audisp_remote_t) 244 245 files_read_etc_files(audisp_remote_t) 246 247 libs_use_ld_so(audisp_remote_t) 248 libs_use_shared_libs(audisp_remote_t) 249 250 logging_send_syslog_msg(audisp_remote_t) 251 252 miscfiles_read_localization(audisp_remote_t) 253 254 sysnet_dns_name_resolve(audisp_remote_t) 181 255 182 256 ######################################## … … 254 328 # setpgid for metalog 255 329 allow syslogd_t self:process { signal_perms setpgid }; 256 allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;257 330 # receive messages to be logged 258 331 allow syslogd_t self:unix_dgram_socket create_socket_perms; … … 291 364 files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) 292 365 366 kernel_read_system_state(syslogd_t) 293 367 kernel_read_kernel_sysctls(syslogd_t) 294 368 kernel_read_proc_symlinks(syslogd_t) … … 297 371 kernel_clear_ring_buffer(syslogd_t) 298 372 kernel_change_ring_buffer_level(syslogd_t) 299 300 dev_filetrans(syslogd_t,devlog_t,sock_file)301 dev_read_sysfs(syslogd_t)302 303 fs_search_auto_mountpoints(syslogd_t)304 305 term_write_console(syslogd_t)306 # Allow syslog to a terminal307 term_write_unallocated_ttys(syslogd_t)308 309 # for sending messages to logged in users310 init_read_utmp(syslogd_t)311 init_dontaudit_write_utmp(syslogd_t)312 term_write_all_user_ttys(syslogd_t)313 373 314 374 corenet_all_recvfrom_unlabeled(syslogd_t) … … 329 389 corenet_tcp_bind_syslogd_port(syslogd_t) 330 390 corenet_tcp_connect_syslogd_port(syslogd_t) 391 corenet_tcp_connect_postgresql_port(syslogd_t) 392 corenet_tcp_connect_mysqld_port(syslogd_t) 331 393 332 394 # syslog-ng can send or receive logs 333 395 corenet_sendrecv_syslogd_client_packets(syslogd_t) 334 396 corenet_sendrecv_syslogd_server_packets(syslogd_t) 335 336 fs_getattr_all_fs(syslogd_t) 337 338 init_use_fds(syslogd_t) 397 corenet_sendrecv_postgresql_client_packets(syslogd_t) 398 corenet_sendrecv_mysqld_client_packets(syslogd_t) 399 400 dev_filetrans(syslogd_t,devlog_t,sock_file) 401 dev_read_sysfs(syslogd_t) 339 402 340 403 domain_use_interactive_fds(syslogd_t) 341 404 342 405 files_read_etc_files(syslogd_t) 406 files_read_usr_files(syslogd_t) 343 407 files_read_var_files(syslogd_t) 344 408 files_read_etc_runtime_files(syslogd_t) 345 409 # /initrd is not umounted before minilog starts 346 410 files_dontaudit_search_isid_type_dirs(syslogd_t) 411 files_read_kernel_symbol_table(syslogd_t) 412 413 fs_getattr_all_fs(syslogd_t) 414 fs_search_auto_mountpoints(syslogd_t) 415 416 mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories 417 418 term_write_console(syslogd_t) 419 # Allow syslog to a terminal 420 term_write_unallocated_ttys(syslogd_t) 421 422 # for sending messages to logged in users 423 init_read_utmp(syslogd_t) 424 init_dontaudit_write_utmp(syslogd_t) 425 term_write_all_user_ttys(syslogd_t) 426 427 auth_use_nsswitch(syslogd_t) 428 429 init_use_fds(syslogd_t) 347 430 348 431 libs_use_ld_so(syslogd_t) … … 351 434 # cjp: this doesnt make sense 352 435 logging_send_syslog_msg(syslogd_t) 353 354 sysnet_read_config(syslogd_t)355 436 356 437 miscfiles_read_localization(syslogd_t) … … 383 464 384 465 optional_policy(` 385 nis_use_ypbind(syslogd_t) 386 ') 387 388 optional_policy(` 389 nscd_socket_use(syslogd_t) 466 postgresql_stream_connect(syslogd_t) 390 467 ') 391 468
