trunk: 3 patches from dan.
This commit is contained in:
parent
134a799c75
commit
14add30d03
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(procmail,1.6.1)
|
||||
policy_module(procmail,1.6.2)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -27,6 +27,8 @@ allow procmail_t self:unix_dgram_socket create_socket_perms;
|
|||
allow procmail_t self:tcp_socket create_stream_socket_perms;
|
||||
allow procmail_t self:udp_socket create_socket_perms;
|
||||
|
||||
can_exec(procmail_t,procmail_exec_t)
|
||||
|
||||
allow procmail_t procmail_tmp_t:file manage_file_perms;
|
||||
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
|
||||
|
||||
|
@ -108,6 +110,9 @@ optional_policy(`
|
|||
# for a bug in the postfix local program
|
||||
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
|
||||
postfix_dontaudit_use_fds(procmail_t)
|
||||
postfix_read_spool_files(procmail_t)
|
||||
postfix_read_local_state(procmail_t)
|
||||
postfix_read_master_state(procmail_t)
|
||||
')
|
||||
|
||||
optional_policy(`
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(rhgb,1.4.0)
|
||||
policy_module(rhgb,1.4.1)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -106,6 +106,7 @@ sysnet_domtrans_ifconfig(rhgb_t)
|
|||
|
||||
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
|
||||
userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
|
||||
userdom_dontaudit_search_all_users_home_content(rhgb_t)
|
||||
|
||||
xserver_read_xdm_xserver_tmp_files(rhgb_t)
|
||||
xserver_kill_xdm_xserver(rhgb_t)
|
||||
|
|
|
@ -1,4 +1,3 @@
|
|||
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
|
||||
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
|
||||
|
@ -7,6 +6,8 @@
|
|||
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
|
||||
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
||||
/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
||||
/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
|
|
|
@ -217,6 +217,25 @@ interface(`logging_manage_audit_log',`
|
|||
manage_files_pattern($1,auditd_log_t,auditd_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute klogd in the klog domain.
|
||||
## </summary>
|
||||
## <param name="domain">
|
||||
## <summary>
|
||||
## Domain allowed access.
|
||||
## </summary>
|
||||
## </param>
|
||||
#
|
||||
interface(`logging_domtrans_klog',`
|
||||
gen_require(`
|
||||
type klogd_t, klogd_exec_t;
|
||||
')
|
||||
|
||||
corecmd_search_bin($1)
|
||||
domtrans_pattern($1,klogd_exec_t,klogd_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute syslogd in the syslog domain.
|
||||
|
@ -470,7 +489,7 @@ interface(`logging_read_all_logs',`
|
|||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
read_files_pattern($1,var_log_t,logfile)
|
||||
read_files_pattern($1,logfile, logfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
|
||||
policy_module(logging,1.7.3)
|
||||
policy_module(logging,1.7.4)
|
||||
|
||||
########################################
|
||||
#
|
||||
|
@ -61,10 +61,10 @@ ifdef(`enable_mls',`
|
|||
|
||||
########################################
|
||||
#
|
||||
# Auditd local policy
|
||||
# Auditctl local policy
|
||||
#
|
||||
|
||||
allow auditctl_t self:capability { audit_write audit_control };
|
||||
allow auditctl_t self:capability { fsetid dac_read_search dac_override audit_write audit_control };
|
||||
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
|
||||
|
||||
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
|
||||
|
@ -72,6 +72,7 @@ allow auditctl_t auditd_etc_t:dir list_dir_perms;
|
|||
|
||||
# Needed for adding watches
|
||||
files_getattr_all_dirs(auditctl_t)
|
||||
files_getattr_all_files(auditctl_t)
|
||||
files_read_etc_files(auditctl_t)
|
||||
|
||||
kernel_read_kernel_sysctls(auditctl_t)
|
||||
|
@ -265,6 +266,8 @@ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
|
|||
|
||||
# create/append log files.
|
||||
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
|
||||
rw_fifo_files_pattern(syslogd_t,var_log_t,var_log_t)
|
||||
|
||||
# Allow access for syslog-ng
|
||||
allow syslogd_t var_log_t:dir { create setattr };
|
||||
|
||||
|
@ -330,6 +333,7 @@ init_use_fds(syslogd_t)
|
|||
domain_use_interactive_fds(syslogd_t)
|
||||
|
||||
files_read_etc_files(syslogd_t)
|
||||
files_read_var_files(syslogd_t)
|
||||
files_read_etc_runtime_files(syslogd_t)
|
||||
# /initrd is not umounted before minilog starts
|
||||
files_dontaudit_search_isid_type_dirs(syslogd_t)
|
||||
|
|
Loading…
Reference in New Issue