From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 61064138010 for ; Wed, 10 Oct 2012 19:52:37 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D2264E0512; Wed, 10 Oct 2012 19:50:24 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) by pigeon.gentoo.org (Postfix) with ESMTP id 284D0E0511 for ; Wed, 10 Oct 2012 19:50:13 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 715B133D7F7 for ; Wed, 10 Oct 2012 19:50:13 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 73CA4E5455 for ; Wed, 10 Oct 2012 19:50:11 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1349898475.973fe18b992ce1cf564567d4b2939dd9a655f4d6.SwifT@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/logwatch.fc policy/modules/contrib/logwatch.if policy/modules/contrib/logwatch.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: SwifT X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: 973fe18b992ce1cf564567d4b2939dd9a655f4d6 X-VCS-Branch: master Date: Wed, 10 Oct 2012 19:50:11 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 27bb42fe-a1f6-4178-b1d2-772940b4d3a5 X-Archives-Hash: 41dfdb9aef590aa1bc49803883cbb3a9 commit: 973fe18b992ce1cf564567d4b2939dd9a655f4d6 Author: Dominick Grift gmail com> AuthorDate: Wed Oct 10 12:39:53 2012 +0000 Commit: Sven Vermeulen siphos be> CommitDate: Wed Oct 10 19:47:55 2012 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=973fe18b Changes to the logwatch policy module Ported from Fedora with changes Signed-off-by: Dominick Grift gmail.com> --- policy/modules/contrib/logwatch.fc | 8 ++++- policy/modules/contrib/logwatch.if | 5 ++- policy/modules/contrib/logwatch.te | 65 ++++++++++++++++++++++------------- 3 files changed, 51 insertions(+), 27 deletions(-) diff --git a/policy/modules/contrib/logwatch.fc b/policy/modules/contrib/logwatch.fc index 5b8a1aa..ce24225 100644 --- a/policy/modules/contrib/logwatch.fc +++ b/policy/modules/contrib/logwatch.fc @@ -1,7 +1,13 @@ /usr/sbin/logcheck -- gen_context(system_u:object_r:logwatch_exec_t,s0) +/usr/sbin/epylog -- gen_context(system_u:object_r:logwatch_exec_t,s0) /usr/share/logwatch/scripts/logwatch\.pl -- gen_context(system_u:object_r:logwatch_exec_t, s0) /var/cache/logwatch(/.*)? gen_context(system_u:object_r:logwatch_cache_t, s0) + /var/lib/logcheck(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) -/var/log/logcheck/.+ -- gen_context(system_u:object_r:logwatch_lock_t,s0) +/var/lib/epylog(/.*)? gen_context(system_u:object_r:logwatch_cache_t,s0) + +/var/lock/logcheck.* gen_context(system_u:object_r:logwatch_lock_t,s0) + +/var/run/epylog\.pid -- gen_context(system_u:object_r:logwatch_var_run_t,s0) diff --git a/policy/modules/contrib/logwatch.if b/policy/modules/contrib/logwatch.if index d878e75..06c3d36 100644 --- a/policy/modules/contrib/logwatch.if +++ b/policy/modules/contrib/logwatch.if @@ -1,4 +1,4 @@ -## System log analyzer and reporter +## System log analyzer and reporter. ######################################## ## @@ -21,7 +21,7 @@ interface(`logwatch_read_tmp_files',` ######################################## ## -## Search logwatch cache directory. +## Search logwatch cache directories. ## ## ## @@ -34,5 +34,6 @@ interface(`logwatch_search_cache_dir',` type logwatch_cache_t; ') + files_search_var($1) allow $1 logwatch_cache_t:dir search_dir_perms; ') diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te index 75ce30f..1848cb9 100644 --- a/policy/modules/contrib/logwatch.te +++ b/policy/modules/contrib/logwatch.te @@ -1,4 +1,4 @@ -policy_module(logwatch, 1.11.0) +policy_module(logwatch, 1.11.1) ################################# # @@ -7,8 +7,7 @@ policy_module(logwatch, 1.11.0) type logwatch_t; type logwatch_exec_t; -application_domain(logwatch_t, logwatch_exec_t) -role system_r types logwatch_t; +init_system_domain(logwatch_t, logwatch_exec_t) type logwatch_cache_t; files_type(logwatch_cache_t) @@ -19,6 +18,12 @@ files_lock_file(logwatch_lock_t) type logwatch_tmp_t; files_tmp_file(logwatch_tmp_t) +type logwatch_var_run_t; +files_pid_file(logwatch_var_run_t) + +mta_base_mail_template(logwatch) +role system_r types logwatch_mail_t; + ######################################## # # Local policy @@ -26,8 +31,8 @@ files_tmp_file(logwatch_tmp_t) allow logwatch_t self:capability { dac_override dac_read_search setgid }; allow logwatch_t self:process signal; -allow logwatch_t self:fifo_file rw_file_perms; -allow logwatch_t self:unix_stream_socket create_stream_socket_perms; +allow logwatch_t self:fifo_file rw_fifo_file_perms; +allow logwatch_t self:unix_stream_socket { accept listen }; manage_dirs_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) manage_files_pattern(logwatch_t, logwatch_cache_t, logwatch_cache_t) @@ -39,6 +44,9 @@ manage_dirs_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) manage_files_pattern(logwatch_t, logwatch_tmp_t, logwatch_tmp_t) files_tmp_filetrans(logwatch_t, logwatch_tmp_t, { file dir }) +allow logwatch_t logwatch_var_run_t:file manage_file_perms; +files_pid_filetrans(logwatch_t, logwatch_var_run_t, file) + kernel_read_fs_sysctls(logwatch_t) kernel_read_kernel_sysctls(logwatch_t) kernel_read_system_state(logwatch_t) @@ -51,25 +59,24 @@ corecmd_exec_shell(logwatch_t) dev_read_urand(logwatch_t) dev_read_sysfs(logwatch_t) -# Read /proc/PID directories for all domains. domain_read_all_domains_state(logwatch_t) +files_getattr_all_files(logwatch_t) +files_getattr_all_file_type_fs(logwatch_t) files_list_var(logwatch_t) +files_search_all(logwatch_t) files_read_var_symlinks(logwatch_t) -files_read_etc_files(logwatch_t) files_read_etc_runtime_files(logwatch_t) files_read_usr_files(logwatch_t) -files_search_spool(logwatch_t) -files_search_mnt(logwatch_t) -files_dontaudit_search_home(logwatch_t) -files_dontaudit_search_boot(logwatch_t) -# Execs df and if file system mounted with a context avc raised -files_dontaudit_search_all_dirs(logwatch_t) fs_getattr_all_fs(logwatch_t) fs_dontaudit_list_auto_mountpoints(logwatch_t) fs_list_inotifyfs(logwatch_t) +storage_dontaudit_getattr_fixed_disk_dev(logwatch_t) + +mls_file_read_to_clearance(logwatch_t) + term_dontaudit_getattr_pty_dirs(logwatch_t) term_dontaudit_list_ptys(logwatch_t) @@ -88,17 +95,12 @@ miscfiles_read_localization(logwatch_t) selinux_dontaudit_getattr_dir(logwatch_t) -sysnet_dns_name_resolve(logwatch_t) sysnet_exec_ifconfig(logwatch_t) userdom_dontaudit_search_user_home_dirs(logwatch_t) -mta_send_mail(logwatch_t) - -ifdef(`distro_redhat',` - files_search_all(logwatch_t) - files_getattr_all_file_type_fs(logwatch_t) -') +mta_sendmail_domtrans(logwatch_t, logwatch_mail_t) +mta_getattr_spool(logwatch_t) tunable_policy(`use_nfs_home_dirs',` fs_list_nfs(logwatch_t) @@ -130,10 +132,6 @@ optional_policy(` ') optional_policy(` - mta_getattr_spool(logwatch_t) -') - -optional_policy(` ntp_domtrans(logwatch_t) ') @@ -145,3 +143,22 @@ optional_policy(` samba_read_log(logwatch_t) samba_read_share_files(logwatch_t) ') + +######################################## +# +# Mail local policy +# + +allow logwatch_mail_t self:capability { dac_read_search dac_override }; + +manage_files_pattern(logwatch_mail_t, logwatch_tmp_t, logwatch_tmp_t) + +dev_read_rand(logwatch_mail_t) +dev_read_urand(logwatch_mail_t) +dev_read_sysfs(logwatch_mail_t) + +logging_read_all_logs(logwatch_mail_t) + +optional_policy(` + cron_use_system_job_fds(logwatch_mail_t) +')