d73cd61952
Module version bump for journald fixes from cgzones.
2016-12-06 19:52:42 -05:00
c1fa5e55ab
fix syslogd audits
2016-12-04 23:09:49 +01:00
34055cae87
Bump module versions for release.
2016-10-23 16:58:59 -04:00
71a425fdcd
Systemd units from Russell Coker.
2016-08-06 19:14:18 -04:00
672ea96b45
Module version bump for mlstrustedsocket from qqo.
2016-05-31 09:15:40 -04:00
aedd5c314d
Adds attribute mlstrustedsocket, along with the interface.
...
Sample AVC:
type=AVC msg=audit(1459979143.990:219): avc: denied { sendto } for pid=1935
comm="charon" path="/dev/log" scontext=system_u:system_r:initrc_t:s0-s3:c0.c31
tcontext=system_u:system_r:syslogd_t:s3:c0.c31 tclass=unix_dgram_socket permissive=0
This was discussed in 2010: http://oss.tresys.com/pipermail/refpolicy/2010-November/003444.html
2016-04-12 19:28:13 +03:00
cc248fc976
Module version bump for syslog and systemd changes from Laurent Bigonville
2016-01-06 09:22:11 -05:00
b02a5d4b55
Allow syslogd_t to read sysctl_vm_overcommit_t
2015-12-16 19:30:47 +01:00
c23353bcd8
Bump module versions for release.
2015-12-08 09:53:02 -05:00
17694adc7b
Module version bump for systemd additions.
2015-10-23 14:53:14 -04:00
4388def2d9
Add refpolicy core socket-activated services.
2015-10-23 10:17:46 -04:00
f7286189b3
Add systemd units for core refpolicy services.
...
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
2015-10-23 10:17:46 -04:00
579849912d
Add supporting rules for domains tightly-coupled with systemd.
2015-10-23 10:17:46 -04:00
0a088aa8ac
Module version bumps for further init_startstop_service() changes from Jason Zaman.
2015-05-27 14:50:45 -04:00
468185f5f7
Bump module versions for release.
2014-12-03 13:37:38 -05:00
47fa454784
/dev/log symlinks are not labeled devlog_t.
...
Drop rule; if /dev/log is a symlink, it should be device_t.
2014-09-12 14:25:01 -04:00
e4cbb09a3d
Module version bumps for systemd/journald patches from Nicolas Iooss.
2014-09-12 11:30:05 -04:00
0cd1ea9596
Remove redundant Gentoo-specific term_append_unallocated_ttys(syslogd_t)
...
Since commit 0fd9dc55
2014-09-12 09:55:58 -04:00
6a201e405b
Allow journald to access to the state of all processes
...
When a process sends a syslog message to journald, journald records
information such as command, executable, cgroup, etc.:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-server.c?id=v215#n589
This needs domain_read_all_domains_state.
2014-09-12 09:55:13 -04:00
6ced8116bd
Add comment for journald ring buffer reading.
2014-09-12 09:54:11 -04:00
3a7e30c22d
Allow journald to read the kernel ring buffer and to use /dev/kmsg
...
audit.log shows that journald needs to read the kernel read buffer:
avc: denied { syslog_read } for pid=147 comm="systemd-journal" scontext=system_u:system_r:syslogd_t tcontext=system_u:system_r:kernel_t tclass=system permissive=1
Moreover journald uses RW access to /dev/kmsg, according to its code:
http://cgit.freedesktop.org/systemd/systemd/tree/src/journal/journald-kmsg.c?id=v215#n394
2014-09-12 09:52:18 -04:00
16bc3a454f
Module version bumps for fc fixes from Nicolas Iooss.
2014-04-21 10:37:44 -04:00
10ff4d0fa3
Bump module versions for release.
2014-03-11 08:16:57 -04:00
d5a562246e
Module version bump for logging fc patch from Laurent Bigonville.
2014-01-31 22:24:08 -05:00
58db129761
Update modules for file_t merge into unlabeled_t.
2014-01-16 11:24:25 -05:00
9d6546a472
Module version bumps for syslog-ng and semodule updates.
2013-11-13 09:27:21 -05:00
9fcc6fe625
Add comments about new capabilities for syslogd_t.
2013-11-13 09:26:38 -05:00
b00d94fb72
Allow capabilities for syslog-ng
...
The syslog-ng logger has (build-optional) support for capabilities. If
capabilities support is enabled, running it without setcap/getcap
permissions gives the following upon start:
* Starting syslog-ng ...
syslog-ng: Error setting capabilities, capability management disabled;
error='Permission denied' [ ok ]
Granting only setcap (initial AVC seen) does not fully help either:
* Starting syslog-ng ...
Error managing capability set, cap_set_proc returned an error;
With setcap and getcap enabled, syslog-ng starts and functions fine.
See also https://bugs.gentoo.org/show_bug.cgi?id=488718
Reported-by: Vincent Brillault <gentoo@lerya.net>
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-11-13 09:14:34 -05:00
5544324eb6
Module version bump for syslog reading overcommit_memory from Dominick Grift.
2013-09-26 08:54:47 -04:00
d66cfb529b
logging: syslog (rs:main Q:Reg) reading sysctl_vm files (overcommit_memory) in Debian
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2013-09-26 08:49:38 -04:00
d174521a64
Bump module versions for release.
2013-04-24 16:14:52 -04:00
fd569471c3
Module version bump for Debian updates from Laurent Bigonville.
2013-01-23 07:23:52 -05:00
7955d0b246
Add support for rsyslog
...
Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc
squash! Add support for rsyslog
2013-01-23 07:10:00 -05:00
e1ab3f885b
Module version bump for misc updates from Sven Vermeulen.
2013-01-03 10:32:41 -05:00
c105a1ccad
Allow syslogger to manage cron log files (v2)
...
Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2013-01-03 10:32:41 -05:00
b30c5df388
Module version bump for logging and tcpdump fixes from Sven Vermeulen.
2012-11-27 09:57:13 -05:00
f11752ff60
Module version bump for iptables fc entry from Sven Vermeulen and inn log from Dominick Grift.
2012-11-27 08:53:57 -05:00
fe2743038a
System logger creates innd log files with a named file transition
...
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
2012-11-27 08:53:04 -05:00
a2cc003740
Module version bump for minor logging and sysnet changes from Sven Vermeulen.
2012-10-30 13:39:46 -04:00
9294b7d11f
Module version bump for cfengine fc change from Dominick Grift.
2012-10-02 10:10:18 -04:00
140cd7bb6d
Module version bump for various changes from Sven Vermeulen.
2012-09-17 10:00:10 -04:00
074cfbeb5b
Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
...
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.
Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.
Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-09-17 09:31:35 -04:00
3516535aa6
Bump module versions for release.
2012-07-25 14:33:06 -04:00
4f24b1841c
Add optional name for kernel and system filetrans interfaces.
2012-05-10 09:53:45 -04:00
7b6fe9c1a5
Module version bump for syslog-ng and lvm patches from Sven Vermeulen.
2012-05-04 10:49:11 -04:00
1c5de3ddf5
Allow getsched for syslog-ng
...
Recent syslog-ng implementation uses a threading library that requires the getsched permission.
See also https://bugs.gentoo.org/show_bug.cgi?id=405425
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
2012-05-04 10:40:05 -04:00
aa4dad379b
Module version bump for release.
2011-07-26 08:11:01 -04:00
127d617b31
Pull in some changes from Fedora policy system layer.
2011-04-14 11:36:56 -04:00
79c8dfe162
Module version bump for audisp patch from Guido Trentalancia.
2011-03-16 08:37:04 -04:00
ff07d7d209
patch to allow the audit dispatcher to read the system state
...
This patch allows the audit dispatcher to read the system
state.
2011-03-16 08:35:53 -04:00
826d014241
Bump module versions for release.
2010-12-13 09:12:22 -05:00
bc5a858a4e
Change /dev/log fc to MLS system high.
...
When the syslog recreates this sock_file on startup, it gets this sensitivity anyway.
This will prevent incorrect relabeling if /dev is relabeled.
2010-11-05 13:13:21 -04:00
bca0cdb86e
Remove duplicate/redundant rules, from Russell Coker.
2010-07-07 08:41:20 -04:00
48f99a81c0
Whitespace change: drop unnecessary blank line at the start of .te files.
2010-06-10 08:16:35 -04:00
29af4c13e7
Bump module versions for release.
2010-05-24 15:32:01 -04:00
78352db924
Module version bump for 8c38fba.
2010-04-24 08:07:51 -04:00
8c38fba0f0
allow syslog-ng to setrlimit
...
syslog-ng wants to increase the number of permissible open files from 256 to 4096 on unix/linux systems.
Signed-off-by: Chris Richards <gizmo@giz-works.com>
Signed-off-by: Chris PeBenito <pebenito@gentoo.org>
2010-04-24 08:02:23 -04:00
7a8807b627
Logging patch from Dan Walsh.
2010-03-17 14:40:06 -04:00
2f84a77d22
Syslog fixes from Gentoo.
2010-02-17 20:33:53 -05:00
c3c753f786
Remove concept of user from terminal module interfaces dealing with ptynode and ttynode since these attributes are not specific to users.
2010-02-11 14:20:10 -05:00
ed3a1f559a
bump module versions for release.
2009-11-17 10:05:56 -05:00
fef5dcf3af
Remove excessive permissions in logging_send_syslog_msg(). Ticket #14 .
2009-08-26 10:05:36 -04:00
9570b28801
module version number bump for release 2.20090730 that was mistakenly omitted.
2009-08-05 10:59:21 -04:00
3f67f722bb
trunk: whitespace fixes
2009-06-26 14:40:13 +00:00
c1262146e0
trunk: Remove node definitions and change node usage to generic nodes.
2009-01-09 19:48:02 +00:00
668b3093ff
trunk: change network interface access from all to generic network interfaces.
2009-01-06 20:24:10 +00:00
17ec8c1f84
trunk: bump module versions for release.
2008-12-10 19:38:10 +00:00
296273a719
trunk: merge UBAC.
2008-11-05 16:10:46 +00:00
2cca6b79b4
trunk: remove redundant shared lib calls.
2008-10-17 17:31:04 +00:00
0b36a2146e
trunk: Enable open permission checks policy capability.
2008-10-16 16:09:20 +00:00
5d4f4b5375
trunk: bump version numbers for release.
2008-10-14 15:46:36 +00:00
06099da657
trunk: 3 patches from dan.
2008-10-09 18:06:24 +00:00
cfafe4a7a8
trunk: logging update from dan.
2008-09-18 13:20:57 +00:00
e40fa634b2
trunk: Logrotate and Bind updates from Vaclav Ovsik.
2008-09-03 14:12:56 +00:00
c11057f7ae
trunk: fedora update cherry picked by david hardeman.
2008-08-22 15:17:01 +00:00
3338f231d5
trunk: Policy size optimization with a non-security file attribute from James Carter.
2008-07-31 14:05:46 +00:00
cfcf5004e5
trunk: bump versions for release.
2008-07-02 14:07:57 +00:00
e9c6cda7da
trunk: Move user roles into individual modules.
2008-04-29 13:58:34 +00:00
0a14f3ae09
trunk: bump module version numbers for release.
2008-04-02 16:04:43 +00:00
2ed4f5aedf
trunk: small fixes for gentoo system.
2008-03-20 14:55:17 +00:00
90c3c561ef
trunk: fc fix and if addtion from Stefan Schulze Frielinghaus.
2008-02-25 14:20:56 +00:00
12cf805e1c
trunk: add basic ubuntu support
2008-02-05 18:24:43 +00:00
f7925f25f7
trunk: bump module versions for release.
2007-12-14 14:23:18 +00:00
1abafe3707
trunk: Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik.
2007-12-12 16:18:50 +00:00
02d968c581
trunk: several fc updates from dan.
2007-12-12 15:55:21 +00:00
eaed904cd5
trunk: 3 patches from dan.
2007-11-05 19:35:08 +00:00
ef659a476e
Deprecate some old file and dir permission set macros in favor of the newer, more consistently-named macros.
2007-10-09 17:29:48 +00:00
12e9ea1ae3
trunk: module version bumps for previous commit.
2007-10-02 17:15:07 +00:00
350b6ab767
trunk: merge strict and targeted policies. merge shlib_t into lib_t.
2007-10-02 16:04:50 +00:00
3480f3f239
trunk: bump version numbers for release.
2007-09-28 13:58:24 +00:00
14add30d03
trunk: 3 patches from dan.
2007-09-12 14:53:39 +00:00
0a0b8078ca
trunk: 5 patches from dan.
2007-09-04 18:57:58 +00:00
2af7b42a06
trunk: switch daemons from inheriting from all levels to initrc_t sharing to all levels.
2007-08-22 20:21:52 +00:00
f8233ab7b0
trunk: Deprecate mls_file_write_down() and mls_file_read_up(), replaced with mls_write_all_levels() and mls_read_all_levels(), for consistency.
2007-08-20 18:26:08 +00:00
2d0c9cecaf
trunk: several MLS enhancements.
2007-08-20 15:15:03 +00:00
116c1da330
trunk: update module version numbers for release.
2007-06-29 14:48:13 +00:00
1900668638
trunk: Unified labeled networking policy from Paul Moore.
...
The latest revision of the labeled policy patches which enable both labeled
and unlabeled policy support for NetLabel. This revision takes into account
Chris' feedback from the first version and reduces the number of interface
calls in each domain down to two at present: one for unlabeled access, one for
NetLabel access. The older, transport layer specific interfaces, are still
present for use by third-party modules but are not used in the default policy
modules.
trunk: Use netmsg initial SID for MLS-only Netlabel packets, from Paul Moore.
This patch changes the policy to use the netmsg initial SID as the "base"
SID/context for NetLabel packets which only have MLS security attributes.
Currently we use the unlabeled initial SID which makes it very difficult to
distinquish between actual unlabeled packets and those packets which have MLS
security attributes.
2007-06-27 15:23:21 +00:00
d5b81a81ff
trunk: Add logging_send_audit_msgs() interface and deprecate send_audit_msgs_pattern().
2007-06-12 18:46:14 +00:00
0251df3e39
bump module versions for release
2007-04-17 13:28:09 +00:00
8021cb4f63
Merge sbin_t and ls_exec_t into bin_t.
2007-03-23 23:24:59 +00:00
Chris PeBenito
cgzones
Chris PeBenito
qqo
Laurent Bigonville
Nicolas Iooss
Chris PeBenito
Sven Vermeulen
Dominick Grift
Guido Trentalancia
Chris Richards