From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-555041-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	by finch.gentoo.org (Postfix) with ESMTP id 9363D13885E
	for <garchives@archives.gentoo.org>; Mon,  4 Feb 2013 19:17:52 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 2096621C006;
	Mon,  4 Feb 2013 19:17:52 +0000 (UTC)
Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id ABC1721C006
	for <gentoo-commits@lists.gentoo.org>; Mon,  4 Feb 2013 19:17:46 +0000 (UTC)
Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163])
	(using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id 1E52333DE1C
	for <gentoo-commits@lists.gentoo.org>; Mon,  4 Feb 2013 19:17:40 +0000 (UTC)
Received: from localhost.localdomain (localhost [127.0.0.1])
	by hornbill.gentoo.org (Postfix) with ESMTP id 028EDE4092
	for <gentoo-commits@lists.gentoo.org>; Mon,  4 Feb 2013 19:17:36 +0000 (UTC)
From: "Sven Vermeulen" <sven.vermeulen@siphos.be>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" <sven.vermeulen@siphos.be>
Message-ID: <1360005004.acdd6786197c58cdc6f3e88fa486644760e717bb.SwifT@gentoo>
Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/
X-VCS-Repository: proj/hardened-refpolicy
X-VCS-Files: policy/modules/system/logging.te
X-VCS-Directories: policy/modules/system/
X-VCS-Committer: SwifT
X-VCS-Committer-Name: Sven Vermeulen
X-VCS-Revision: acdd6786197c58cdc6f3e88fa486644760e717bb
X-VCS-Branch: master
Date: Mon,  4 Feb 2013 19:17:36 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Archives-Salt: b3d778ae-fd59-4ade-8868-56936d32f3f3
X-Archives-Hash: 3c93e21d2405fcf50e87f68661d464c2

commit:     acdd6786197c58cdc6f3e88fa486644760e717bb
Author:     Laurent Bigonville <bigon <AT> bigon <DOT> be>
AuthorDate: Sat Jan 12 21:32:24 2013 +0000
Commit:     Sven Vermeulen <sven.vermeulen <AT> siphos <DOT> be>
CommitDate: Mon Feb  4 19:10:04 2013 +0000
URL:        http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=acdd6786

Add support for rsyslog

Allow sys_nice capability, setsched, allow to search in /var/spool and
syslog_t domain to read network state files in /proc

squash! Add support for rsyslog

---
 policy/modules/system/logging.te |    8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index e044c28..99de723 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -357,14 +357,16 @@ optional_policy(`
 
 # chown fsetid for syslog-ng
 # sys_admin for the integrated klog of syslog-ng and metalog
+# sys_nice for rsyslog
 # cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
 allow syslogd_t self:capability2 block_suspend;
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 # setrlimit for syslog-ng
 # getsched for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched };
+# setsched for rsyslog
+allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -382,6 +384,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
 # create/append log files.
 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+files_search_spool(syslogd_t)
 
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
@@ -399,6 +402,7 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 
 kernel_read_system_state(syslogd_t)
+kernel_read_network_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng