1 |
commit: 58da6a68ade7d4c28dfbc679d901af98573cf441 |
2 |
Author: Jason Zaman <jason <AT> perfinion <DOT> com> |
3 |
AuthorDate: Sun Sep 10 13:32:17 2017 +0000 |
4 |
Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> |
5 |
CommitDate: Sun Sep 10 13:32:17 2017 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=58da6a68 |
7 |
|
8 |
logging: audit map config files and fcontext for /etc/audisp |
9 |
|
10 |
policy/modules/system/logging.fc | 1 + |
11 |
policy/modules/system/logging.te | 5 +++++ |
12 |
2 files changed, 6 insertions(+) |
13 |
|
14 |
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc |
15 |
index 9174f94b..55bb640b 100644 |
16 |
--- a/policy/modules/system/logging.fc |
17 |
+++ b/policy/modules/system/logging.fc |
18 |
@@ -3,6 +3,7 @@ |
19 |
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
20 |
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
21 |
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) |
22 |
+/etc/audisp(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) |
23 |
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) |
24 |
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) |
25 |
|
26 |
|
27 |
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te |
28 |
index 6d09c8bd..de255723 100644 |
29 |
--- a/policy/modules/system/logging.te |
30 |
+++ b/policy/modules/system/logging.te |
31 |
@@ -105,6 +105,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; |
32 |
|
33 |
read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) |
34 |
allow auditctl_t auditd_etc_t:dir list_dir_perms; |
35 |
+allow auditctl_t auditd_etc_t:file map; |
36 |
|
37 |
# Needed for adding watches |
38 |
files_getattr_all_dirs(auditctl_t) |
39 |
@@ -245,6 +246,10 @@ allow audisp_t self:unix_dgram_socket create_socket_perms; |
40 |
|
41 |
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; |
42 |
|
43 |
+read_files_pattern(audisp_t, auditd_etc_t, auditd_etc_t) |
44 |
+allow audisp_t auditd_etc_t:dir list_dir_perms; |
45 |
+allow audisp_t auditd_etc_t:file map; |
46 |
+ |
47 |
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) |
48 |
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) |