1 |
commit: 79122e4440ac3616cef3283767c88232f9f6f265 |
2 |
Author: Chris PeBenito <pebenito <AT> ieee <DOT> org> |
3 |
AuthorDate: Wed Apr 19 01:06:48 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Apr 30 09:12:52 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=79122e44 |
7 |
|
8 |
logging patches from Russell Coker |
9 |
|
10 |
Patches for logrotate, webalizer, sysstat, and logwatch. |
11 |
|
12 |
policy/modules/contrib/logrotate.te | 6 +++++- |
13 |
policy/modules/contrib/logwatch.te | 7 ++++++- |
14 |
policy/modules/contrib/sysstat.te | 9 ++++++--- |
15 |
policy/modules/contrib/webalizer.te | 8 +++++++- |
16 |
4 files changed, 24 insertions(+), 6 deletions(-) |
17 |
|
18 |
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te |
19 |
index ec338fb6..1c63e097 100644 |
20 |
--- a/policy/modules/contrib/logrotate.te |
21 |
+++ b/policy/modules/contrib/logrotate.te |
22 |
@@ -1,4 +1,4 @@ |
23 |
-policy_module(logrotate, 1.18.2) |
24 |
+policy_module(logrotate, 1.18.3) |
25 |
|
26 |
######################################## |
27 |
# |
28 |
@@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t) |
29 |
fs_search_auto_mountpoints(logrotate_t) |
30 |
fs_getattr_xattr_fs(logrotate_t) |
31 |
fs_list_inotifyfs(logrotate_t) |
32 |
+fs_getattr_tmpfs(logrotate_t) |
33 |
|
34 |
mls_file_read_all_levels(logrotate_t) |
35 |
mls_file_write_all_levels(logrotate_t) |
36 |
@@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t) |
37 |
auth_use_nsswitch(logrotate_t) |
38 |
|
39 |
init_all_labeled_script_domtrans(logrotate_t) |
40 |
+init_startstop_all_script_services(logrotate_t) |
41 |
init_get_generic_units_status(logrotate_t) |
42 |
init_get_all_units_status(logrotate_t) |
43 |
+init_get_system_status(logrotate_t) |
44 |
init_dbus_chat(logrotate_t) |
45 |
init_stream_connect(logrotate_t) |
46 |
init_manage_all_units(logrotate_t) |
47 |
@@ -218,6 +221,7 @@ optional_policy(` |
48 |
optional_policy(` |
49 |
mysql_read_config(logrotate_t) |
50 |
mysql_stream_connect(logrotate_t) |
51 |
+ mysql_signal(logrotate_t) |
52 |
') |
53 |
|
54 |
optional_policy(` |
55 |
|
56 |
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te |
57 |
index 24f1c17b..d2b54207 100644 |
58 |
--- a/policy/modules/contrib/logwatch.te |
59 |
+++ b/policy/modules/contrib/logwatch.te |
60 |
@@ -1,4 +1,4 @@ |
61 |
-policy_module(logwatch, 1.14.0) |
62 |
+policy_module(logwatch, 1.14.1) |
63 |
|
64 |
################################# |
65 |
# |
66 |
@@ -160,6 +160,10 @@ optional_policy(` |
67 |
') |
68 |
|
69 |
optional_policy(` |
70 |
+ raid_domtrans_mdadm(logwatch_t) |
71 |
+') |
72 |
+ |
73 |
+optional_policy(` |
74 |
rpc_search_nfs_state_data(logwatch_t) |
75 |
') |
76 |
|
77 |
@@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t) |
78 |
|
79 |
optional_policy(` |
80 |
cron_use_system_job_fds(logwatch_mail_t) |
81 |
+ cron_rw_system_job_pipes(logwatch_mail_t) |
82 |
') |
83 |
|
84 |
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te |
85 |
index ac249ac0..deca783e 100644 |
86 |
--- a/policy/modules/contrib/sysstat.te |
87 |
+++ b/policy/modules/contrib/sysstat.te |
88 |
@@ -1,4 +1,4 @@ |
89 |
-policy_module(sysstat, 1.9.0) |
90 |
+policy_module(sysstat, 1.9.1) |
91 |
|
92 |
######################################## |
93 |
# |
94 |
@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co |
95 |
allow sysstat_t self:fifo_file rw_fifo_file_perms; |
96 |
|
97 |
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) |
98 |
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) |
99 |
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) |
100 |
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) |
101 |
setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) |
102 |
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) |
103 |
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) |
104 |
@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t) |
105 |
kernel_read_rpc_sysctls(sysstat_t) |
106 |
|
107 |
corecmd_exec_bin(sysstat_t) |
108 |
+corecmd_exec_shell(sysstat_t) |
109 |
|
110 |
dev_read_sysfs(sysstat_t) |
111 |
+dev_getattr_sysfs(sysstat_t) |
112 |
dev_read_urand(sysstat_t) |
113 |
|
114 |
files_search_var(sysstat_t) |
115 |
files_read_etc_runtime_files(sysstat_t) |
116 |
+files_search_all_mountpoints(sysstat_t) |
117 |
|
118 |
fs_getattr_xattr_fs(sysstat_t) |
119 |
fs_list_inotifyfs(sysstat_t) |
120 |
@@ -66,6 +68,7 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t) |
121 |
|
122 |
optional_policy(` |
123 |
cron_system_entry(sysstat_t, sysstat_exec_t) |
124 |
+ cron_rw_tmp_files(sysstat_t) |
125 |
') |
126 |
|
127 |
ifdef(`distro_gentoo',` |
128 |
|
129 |
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te |
130 |
index 06f9d332..9ea1bdad 100644 |
131 |
--- a/policy/modules/contrib/webalizer.te |
132 |
+++ b/policy/modules/contrib/webalizer.te |
133 |
@@ -1,4 +1,4 @@ |
134 |
-policy_module(webalizer, 1.14.0) |
135 |
+policy_module(webalizer, 1.14.1) |
136 |
|
137 |
######################################## |
138 |
# |
139 |
@@ -16,6 +16,9 @@ role webalizer_roles types webalizer_t; |
140 |
type webalizer_etc_t; |
141 |
files_config_file(webalizer_etc_t) |
142 |
|
143 |
+type webalizer_log_t; |
144 |
+logging_log_file(webalizer_log_t) |
145 |
+ |
146 |
type webalizer_tmp_t; |
147 |
files_tmp_file(webalizer_tmp_t) |
148 |
|
149 |
@@ -37,6 +40,9 @@ allow webalizer_t self:tcp_socket { accept listen }; |
150 |
|
151 |
allow webalizer_t webalizer_etc_t:file read_file_perms; |
152 |
|
153 |
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) |
154 |
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) |
155 |
+ |
156 |
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) |
157 |
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) |
158 |
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir }) |