[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/

public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed

From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/
Date: Mon, 12 Nov 2012 21:30:30 +0000 (UTC)	[thread overview]
Message-ID: <1352755586.d049175602c7f2b6650030039276b6bb99d10757.SwifT@gentoo> (raw)

commit:     d049175602c7f2b6650030039276b6bb99d10757
Author:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
AuthorDate: Mon Nov 12 21:26:26 2012 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Nov 12 21:26:26 2012 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=d0491756

Introduce syslogmanaged attribute

The syslogmanaged attribute is assigned to types that are used as target system
log managed log files. When assigned, the system logger has manage privileges on
the type. The privileges are both on file and directory level.

Modules can enable this by marking their filetype with
"logging_syslog_managed_log_file" or "logging_syslog_managed_log_dir". The first
option is the type, the second one is an (optional) name to use for the file or
directory for a proper file transition.

For instance, for cron (also part of this commit):

type cron_log_t;
logging_syslog_managed_log_file(cron_log_t, "cron.log")

This will create the following transition:
type_transition syslogd_t var_log_t : file cron_log_t "cron.log";

Using logging_syslog_managed_log_dir will do the same, but on directory level.

See also https://bugs.gentoo.org/show_bug.cgi?id=440128

---
 policy/modules/contrib/cron.te   |    2 +
 policy/modules/system/logging.if |   69 ++++++++++++++++++++++++++++++++++++++
 policy/modules/system/logging.te |    6 +++
 3 files changed, 77 insertions(+), 0 deletions(-)

diff --git a/policy/modules/contrib/cron.te b/policy/modules/contrib/cron.te
index d6af321..5460980 100644
--- a/policy/modules/contrib/cron.te
+++ b/policy/modules/contrib/cron.te
@@ -124,6 +124,8 @@ mta_system_content(user_cron_spool_t)
 ifdef(`distro_gentoo',`
 	domain_interactive_fd(cronjob_t)
 	domain_interactive_fd(system_cronjob_t)
+
+	logging_syslog_managed_log_file(cron_log_t, "cron.log")
 ')
 
 ifdef(`enable_mcs',`

diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 857e07d..6bd6586 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -1104,3 +1104,72 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
+
+########################################
+## <summary>
+##	Mark the type as a syslog managed log file
+##	and introduce the proper file transition when
+##	created by the system logger in the generic
+##	log directory
+## </summary>
+## <param name="type">
+##	<summary>
+##	Type to mark as a syslog managed log file
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name to use for the file
+##	</summary>
+## </param>
+#
+interface(`logging_syslog_managed_log_file',`
+	gen_require(`
+		attribute syslogmanaged;
+		type syslogd_t;
+	')
+
+	typeattribute $1 syslogmanaged;
+
+	logging_log_file($1)
+	logging_log_filetrans(syslogd_t, $1, file, $2)
+')
+
+########################################
+## <summary>
+##	Mark the type as a syslog managed log dir
+##	and introduce the proper file transition when
+##	created by the system logger in the generic
+##	log directory
+## </summary>
+## <desc>
+##	<p>
+##	Once set, the system logger is able to fully
+##	manage files and directory of the given type.
+##	You do not need to use logging_syslog_managed_file
+##	anymore (unless a file name transition is needed
+##	for that as well).
+##	</p>
+## </desc>
+## <param name="type">
+##	<summary>
+##	Type to mark as a syslog managed log dir
+##	</summary>
+## </param>
+## <param name="filename" optional="true">
+##	<summary>
+##	Name to use for the directory
+##	</summary>
+## </param>
+#
+interface(`logging_syslog_managed_log_dir',`
+	gen_require(`
+		attribute syslogmanaged;
+		type syslogd_t;
+	')
+
+	typeattribute $1 syslogmanaged;
+
+	logging_log_file($1)
+	logging_log_filetrans(syslogd_t, $1, dir, $2)
+')

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 7a4250e..08f66fb 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -86,6 +86,10 @@ ifdef(`enable_mls',`
 	init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
 ')
 
+ifdef(`distro_gentoo',`
+	attribute syslogmanaged;
+')
+
 ########################################
 #
 # Auditctl local policy
@@ -470,6 +474,8 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
 userdom_dontaudit_search_user_home_dirs(syslogd_t)
 
 ifdef(`distro_gentoo',`
+	manage_dirs_pattern(syslogd_t, syslogmanaged, syslogmanaged)
+	manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged)
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
 	term_append_unallocated_ttys(syslogd_t)

next             reply	other threads:[~2012-11-12 21:30 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2012-11-12 21:30 Sven Vermeulen [this message]
  -- strict thread matches above, loose matches on Subject: below --
2017-05-07 17:41 [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/ Jason Zaman
2017-02-16 11:34 Jason Zaman
2016-12-06 12:26 Jason Zaman
2014-07-15 16:16 Sven Vermeulen
2014-06-25 19:59 Sven Vermeulen
2013-12-17  8:52 Sven Vermeulen
2013-02-11 19:52 Sven Vermeulen
2012-12-31 23:19 Sven Vermeulen
2012-12-08 12:41 Sven Vermeulen
2012-12-08 12:40 Sven Vermeulen
2012-12-07 17:28 Sven Vermeulen
2012-10-29 18:41 Sven Vermeulen
2012-08-29 18:48 Sven Vermeulen
2012-08-15 13:03 Sven Vermeulen
2012-08-08 19:37 Sven Vermeulen
2012-07-24  9:24 Sven Vermeulen
2012-07-17 17:15 Sven Vermeulen
2012-07-12 20:02 Sven Vermeulen
2012-06-27 19:12 Sven Vermeulen

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:d6af321 dfblob:5460980 dfblob:857e07d dfblob:6bd6586
dfblob:7a4250e dfblob:08f66fb )
 OR (
bs:"[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/, policy/modules/system/" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1352755586.d049175602c7f2b6650030039276b6bb99d10757.SwifT@gentoo \
    --to=sven.vermeulen@siphos.be \
    --cc=gentoo-commits@lists.gentoo.org \
    --cc=gentoo-dev@lists.gentoo.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox