Merge pull request #652 from gtrentalancia/syslog_fixes_pr

Increase general syslog daemon policy security by making network permissions tunable
This commit is contained in:
Chris PeBenito 2023-09-11 09:56:36 -04:00 committed by GitHub
commit d1b1076666
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -5,6 +5,14 @@ policy_module(logging)
# Declarations
#
## <desc>
## <p>
## Allows syslogd internet domain sockets
## functionality (dangerous).
## </p>
## </desc>
gen_tunable(logging_syslog_can_network, false)
attribute logfile;
type auditctl_t;
@ -386,8 +394,7 @@ optional_policy(`
# chown fsetid for syslog-ng
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
allow syslogd_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
dontaudit syslogd_t self:capability { sys_ptrace };
dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
# setpgid for metalog
@ -457,29 +464,6 @@ kernel_read_ring_buffer(syslogd_t)
# /initrd is not umounted before minilog starts
kernel_dontaudit_search_unlabeled(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
corenet_udp_bind_generic_node(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
corenet_tcp_bind_generic_node(syslogd_t)
corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
dev_filetrans(syslogd_t, devlog_t, sock_file)
dev_read_sysfs(syslogd_t)
dev_read_urand(syslogd_t)
@ -597,6 +581,33 @@ ifdef(`distro_ubuntu',`
')
')
tunable_policy(`logging_syslog_can_network',`
allow syslogd_t self:capability { net_admin };
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_generic_if(syslogd_t)
corenet_udp_sendrecv_generic_node(syslogd_t)
corenet_udp_bind_generic_node(syslogd_t)
corenet_udp_bind_syslogd_port(syslogd_t)
# syslog-ng can listen and connect on tcp port 514 (rsh)
corenet_tcp_sendrecv_generic_if(syslogd_t)
corenet_tcp_sendrecv_generic_node(syslogd_t)
corenet_tcp_bind_generic_node(syslogd_t)
corenet_tcp_bind_rsh_port(syslogd_t)
corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
corenet_tcp_connect_postgresql_port(syslogd_t)
corenet_tcp_connect_mysqld_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
corenet_sendrecv_postgresql_client_packets(syslogd_t)
corenet_sendrecv_mysqld_client_packets(syslogd_t)
')
optional_policy(`
bind_search_cache(syslogd_t)
')