From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) by finch.gentoo.org (Postfix) with ESMTP id 5F8FE138202 for ; Mon, 21 Oct 2013 18:45:13 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D2FD9E09C6; Mon, 21 Oct 2013 18:45:12 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 4DFE6E09C6 for ; Mon, 21 Oct 2013 18:45:12 +0000 (UTC) Received: from hornbill.gentoo.org (hornbill.gentoo.org [94.100.119.163]) (using TLSv1 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 64A5D33DA8F for ; Mon, 21 Oct 2013 18:45:11 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by hornbill.gentoo.org (Postfix) with ESMTP id 1F1D9E545D for ; Mon, 21 Oct 2013 18:45:10 +0000 (UTC) From: "Sven Vermeulen" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Sven Vermeulen" Message-ID: <1382381021.af5963dc5bc69cc1b33a782b28b67b69c8550ab1.swift@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/logging.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: swift X-VCS-Committer-Name: Sven Vermeulen X-VCS-Revision: af5963dc5bc69cc1b33a782b28b67b69c8550ab1 X-VCS-Branch: master Date: Mon, 21 Oct 2013 18:45:10 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: bdffca54-9202-404a-899e-da3abfac87c9 X-Archives-Hash: cdd3a2e704d44e3bf194b97995d49224 commit: af5963dc5bc69cc1b33a782b28b67b69c8550ab1 Author: Sven Vermeulen siphos be> AuthorDate: Mon Oct 21 18:43:41 2013 +0000 Commit: Sven Vermeulen gentoo org> CommitDate: Mon Oct 21 18:43:41 2013 +0000 URL: http://git.overlays.gentoo.org/gitweb/?p=proj/hardened-refpolicy.git;a=commit;h=af5963dc Move to distro_gentoo block --- policy/modules/system/logging.te | 23 +++++++++++++++-------- 1 file changed, 15 insertions(+), 8 deletions(-) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 7883d25..17c3876 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -86,10 +86,6 @@ ifdef(`enable_mls',` init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) ') -ifdef(`distro_gentoo',` - attribute syslogmanaged; -') - ######################################## # # Auditctl local policy @@ -360,7 +356,6 @@ optional_policy(` # sys_nice for rsyslog # cjp: why net_admin! allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -allow syslogd_t self:capability2 block_suspend; dontaudit syslogd_t self:capability sys_tty_config; # setpgid for metalog # setrlimit for syslog-ng @@ -449,7 +444,6 @@ files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts files_dontaudit_search_isid_type_dirs(syslogd_t) files_read_kernel_symbol_table(syslogd_t) -files_rw_var_lib_dirs(syslogd_t) files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir }) fs_getattr_all_fs(syslogd_t) @@ -479,8 +473,6 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_user_home_dirs(syslogd_t) ifdef(`distro_gentoo',` - manage_dirs_pattern(syslogd_t, syslogmanaged, syslogmanaged) - manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged) # default gentoo syslog-ng config appends kernel # and high priority messages to /dev/tty12 term_append_unallocated_ttys(syslogd_t) @@ -534,3 +526,18 @@ optional_policy(` # log to the xconsole xserver_rw_console(syslogd_t) ') + +ifdef(`distro_gentoo',` + attribute syslogmanaged; + + ######################################## + # + # Local syslogd_t policy + # + allow syslogd_t self:capability2 block_suspend; + + manage_dirs_pattern(syslogd_t, syslogmanaged, syslogmanaged) + manage_files_pattern(syslogd_t, syslogmanaged, syslogmanaged) + + files_rw_var_lib_dirs(syslogd_t) +')