From a28f6db57649e1d3493fc4e5641c90cade455b41 Mon Sep 17 00:00:00 2001 From: Chris PeBenito Date: Wed, 20 Jul 2005 13:30:06 +0000 Subject: [PATCH] add in some rules from NSA CVS to make targeted policy work --- refpolicy/policy/modules/system/logging.fc | 4 +++- refpolicy/policy/modules/system/logging.te | 6 ++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/refpolicy/policy/modules/system/logging.fc b/refpolicy/policy/modules/system/logging.fc index aee238088..c7d57346a 100644 --- a/refpolicy/policy/modules/system/logging.fc +++ b/refpolicy/policy/modules/system/logging.fc @@ -16,7 +16,9 @@ ifdef(`distro_suse', ` ') /var/log(/.*)? context_template(system_u:object_r:var_log_t,s0) -/var/log/audit.log context_template(system_u:object_r:auditd_log_t,s0) +/var/log/audit.log -- context_template(system_u:object_r:auditd_log_t,s0) + +/var/log/audit(/.*)? context_template(system_u:object_r:auditd_log_t,s0) /var/run/klogd\.pid -- context_template(system_u:object_r:klogd_var_run_t,s0) /var/run/log -s context_template(system_u:object_r:devlog_t,s0) diff --git a/refpolicy/policy/modules/system/logging.te b/refpolicy/policy/modules/system/logging.te index 269e7e7c2..72b4fe570 100644 --- a/refpolicy/policy/modules/system/logging.te +++ b/refpolicy/policy/modules/system/logging.te @@ -9,7 +9,7 @@ policy_module(logging,1.0) attribute logfile; type auditd_log_t; -logging_log_file(auditd_log_t) +files_type(auditd_log_t) type auditd_t; type auditd_exec_t; @@ -49,10 +49,12 @@ files_type(var_log_t) # Auditd local policy # -allow auditd_t self:capability { audit_write audit_control }; +allow auditd_t self:capability { audit_write audit_control sys_nice sys_resource }; dontaudit auditd_t self:capability sys_tty_config; +allow auditd_t self:process setsched; allow auditd_t self:netlink_audit_socket { bind create getattr nlmsg_read nlmsg_write read write }; +allow auditd_t auditd_log_t:dir rw_dir_perms; allow auditd_t auditd_log_t:file create_file_perms; allow auditd_t auditd_var_run_t:file create_file_perms;