trunk: 3 patches from dan.

This commit is contained in:
Chris PeBenito 2007-09-12 14:53:39 +00:00
parent 134a799c75
commit 14add30d03
5 changed files with 37 additions and 7 deletions

View File

@ -1,5 +1,5 @@
policy_module(procmail,1.6.1)
policy_module(procmail,1.6.2)
########################################
#
@ -27,6 +27,8 @@ allow procmail_t self:unix_dgram_socket create_socket_perms;
allow procmail_t self:tcp_socket create_stream_socket_perms;
allow procmail_t self:udp_socket create_socket_perms;
can_exec(procmail_t,procmail_exec_t)
allow procmail_t procmail_tmp_t:file manage_file_perms;
files_tmp_filetrans(procmail_t, procmail_tmp_t, file)
@ -108,6 +110,9 @@ optional_policy(`
# for a bug in the postfix local program
postfix_dontaudit_rw_local_tcp_sockets(procmail_t)
postfix_dontaudit_use_fds(procmail_t)
postfix_read_spool_files(procmail_t)
postfix_read_local_state(procmail_t)
postfix_read_master_state(procmail_t)
')
optional_policy(`

View File

@ -1,5 +1,5 @@
policy_module(rhgb,1.4.0)
policy_module(rhgb,1.4.1)
########################################
#
@ -106,6 +106,7 @@ sysnet_domtrans_ifconfig(rhgb_t)
userdom_dontaudit_use_unpriv_user_fds(rhgb_t)
userdom_dontaudit_search_sysadm_home_dirs(rhgb_t)
userdom_dontaudit_search_all_users_home_content(rhgb_t)
xserver_read_xdm_xserver_tmp_files(rhgb_t)
xserver_kill_xdm_xserver(rhgb_t)

View File

@ -1,4 +1,3 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
@ -7,6 +6,8 @@
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/sbin/minilogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/rklogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
/sbin/rsyslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)

View File

@ -217,6 +217,25 @@ interface(`logging_manage_audit_log',`
manage_files_pattern($1,auditd_log_t,auditd_log_t)
')
########################################
## <summary>
## Execute klogd in the klog domain.
## </summary>
## <param name="domain">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`logging_domtrans_klog',`
gen_require(`
type klogd_t, klogd_exec_t;
')
corecmd_search_bin($1)
domtrans_pattern($1,klogd_exec_t,klogd_t)
')
########################################
## <summary>
## Execute syslogd in the syslog domain.
@ -470,7 +489,7 @@ interface(`logging_read_all_logs',`
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
read_files_pattern($1,var_log_t,logfile)
read_files_pattern($1,logfile, logfile)
')
########################################

View File

@ -1,5 +1,5 @@
policy_module(logging,1.7.3)
policy_module(logging,1.7.4)
########################################
#
@ -61,10 +61,10 @@ ifdef(`enable_mls',`
########################################
#
# Auditd local policy
# Auditctl local policy
#
allow auditctl_t self:capability { audit_write audit_control };
allow auditctl_t self:capability { fsetid dac_read_search dac_override audit_write audit_control };
allow auditctl_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay nlmsg_readpriv };
read_files_pattern(auditctl_t,auditd_etc_t,auditd_etc_t)
@ -72,6 +72,7 @@ allow auditctl_t auditd_etc_t:dir list_dir_perms;
# Needed for adding watches
files_getattr_all_dirs(auditctl_t)
files_getattr_all_files(auditctl_t)
files_read_etc_files(auditctl_t)
kernel_read_kernel_sysctls(auditctl_t)
@ -265,6 +266,8 @@ files_pid_filetrans(syslogd_t,devlog_t,sock_file)
# create/append log files.
manage_files_pattern(syslogd_t,var_log_t,var_log_t)
rw_fifo_files_pattern(syslogd_t,var_log_t,var_log_t)
# Allow access for syslog-ng
allow syslogd_t var_log_t:dir { create setattr };
@ -330,6 +333,7 @@ init_use_fds(syslogd_t)
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)