diff --git a/Changelog b/Changelog index a892416ce..df6aad65f 100644 --- a/Changelog +++ b/Changelog @@ -1,3 +1,4 @@ +- Patch for debian logrotate to handle syslogd-listfiles, from Vaclav Ovsik. - Improve several tunables descriptions from Dan Walsh. - Patch to clean up ns switch usage in the policy from Dan Walsh. - More complete labeled networking infrastructure from KaiGai Kohei. diff --git a/policy/modules/admin/logrotate.te b/policy/modules/admin/logrotate.te index 271e1a3bf..31999fed1 100644 --- a/policy/modules/admin/logrotate.te +++ b/policy/modules/admin/logrotate.te @@ -1,5 +1,5 @@ -policy_module(logrotate,1.6.0) +policy_module(logrotate,1.6.1) ######################################## # @@ -127,6 +127,9 @@ ifdef(`distro_debian', ` allow logrotate_t logrotate_tmp_t:file { relabelfrom relabelto }; # for savelog can_exec(logrotate_t, logrotate_exec_t) + + # for syslogd-listfiles + logging_read_syslog_config(logrotate_t) ') optional_policy(` diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 4b702fbb0..e566ab1fd 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -398,6 +398,25 @@ interface(`logging_dontaudit_search_audit_config',` dontaudit $1 auditd_etc_t:dir search_dir_perms; ') +######################################## +## +## Read syslog configuration files. +## +## +## +## Domain allowed access. +## +## +## +# +interface(`logging_read_syslog_config',` + gen_require(` + type syslog_conf_t; + ') + + allow $1 syslog_conf_t:file read_file_perms; +') + ######################################## ## ## Allows the domain to open a file in the diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 8f7bc86cb..f6619dc30 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging,1.8.3) +policy_module(logging,1.8.4) ######################################## #