From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id D0987139694 for ; Sun, 30 Apr 2017 14:20:16 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id A342421C0F3; Sun, 30 Apr 2017 14:20:12 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 7560C21C0E4 for ; Sun, 30 Apr 2017 14:20:12 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 54FE63416A1 for ; Sun, 30 Apr 2017 14:20:03 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 2EDBB744B for ; Sun, 30 Apr 2017 14:20:00 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1493561864.2a45b491602c974a5bf42f37fa1dcee7cac8492a.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/contrib/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/contrib/logrotate.te policy/modules/contrib/logwatch.te policy/modules/contrib/sysstat.te policy/modules/contrib/webalizer.te X-VCS-Directories: policy/modules/contrib/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 2a45b491602c974a5bf42f37fa1dcee7cac8492a X-VCS-Branch: master Date: Sun, 30 Apr 2017 14:20:00 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: d5b0746a-7d58-4f6e-9458-2aa8353312d1 X-Archives-Hash: 6d3383a56ed224daae45c0d97f5ad657 commit: 2a45b491602c974a5bf42f37fa1dcee7cac8492a Author: Chris PeBenito ieee org> AuthorDate: Wed Apr 19 01:06:48 2017 +0000 Commit: Jason Zaman gentoo org> CommitDate: Sun Apr 30 14:17:44 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=2a45b491 logging patches from Russell Coker Patches for logrotate, webalizer, sysstat, and logwatch. policy/modules/contrib/logrotate.te | 6 +++++- policy/modules/contrib/logwatch.te | 7 ++++++- policy/modules/contrib/sysstat.te | 9 ++++++--- policy/modules/contrib/webalizer.te | 8 +++++++- 4 files changed, 24 insertions(+), 6 deletions(-) diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te index ec338fb6..1c63e097 100644 --- a/policy/modules/contrib/logrotate.te +++ b/policy/modules/contrib/logrotate.te @@ -1,4 +1,4 @@ -policy_module(logrotate, 1.18.2) +policy_module(logrotate, 1.18.3) ######################################## # @@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t) fs_search_auto_mountpoints(logrotate_t) fs_getattr_xattr_fs(logrotate_t) fs_list_inotifyfs(logrotate_t) +fs_getattr_tmpfs(logrotate_t) mls_file_read_all_levels(logrotate_t) mls_file_write_all_levels(logrotate_t) @@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t) auth_use_nsswitch(logrotate_t) init_all_labeled_script_domtrans(logrotate_t) +init_startstop_all_script_services(logrotate_t) init_get_generic_units_status(logrotate_t) init_get_all_units_status(logrotate_t) +init_get_system_status(logrotate_t) init_dbus_chat(logrotate_t) init_stream_connect(logrotate_t) init_manage_all_units(logrotate_t) @@ -218,6 +221,7 @@ optional_policy(` optional_policy(` mysql_read_config(logrotate_t) mysql_stream_connect(logrotate_t) + mysql_signal(logrotate_t) ') optional_policy(` diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te index 24f1c17b..d2b54207 100644 --- a/policy/modules/contrib/logwatch.te +++ b/policy/modules/contrib/logwatch.te @@ -1,4 +1,4 @@ -policy_module(logwatch, 1.14.0) +policy_module(logwatch, 1.14.1) ################################# # @@ -160,6 +160,10 @@ optional_policy(` ') optional_policy(` + raid_domtrans_mdadm(logwatch_t) +') + +optional_policy(` rpc_search_nfs_state_data(logwatch_t) ') @@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t) optional_policy(` cron_use_system_job_fds(logwatch_mail_t) + cron_rw_system_job_pipes(logwatch_mail_t) ') diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te index ac249ac0..deca783e 100644 --- a/policy/modules/contrib/sysstat.te +++ b/policy/modules/contrib/sysstat.te @@ -1,4 +1,4 @@ -policy_module(sysstat, 1.9.0) +policy_module(sysstat, 1.9.1) ######################################## # @@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co allow sysstat_t self:fifo_file rw_fifo_file_perms; manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) -append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) -create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) +manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t) manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t) logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir }) @@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t) kernel_read_rpc_sysctls(sysstat_t) corecmd_exec_bin(sysstat_t) +corecmd_exec_shell(sysstat_t) dev_read_sysfs(sysstat_t) +dev_getattr_sysfs(sysstat_t) dev_read_urand(sysstat_t) files_search_var(sysstat_t) files_read_etc_runtime_files(sysstat_t) +files_search_all_mountpoints(sysstat_t) fs_getattr_xattr_fs(sysstat_t) fs_list_inotifyfs(sysstat_t) @@ -66,6 +68,7 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t) optional_policy(` cron_system_entry(sysstat_t, sysstat_exec_t) + cron_rw_tmp_files(sysstat_t) ') ifdef(`distro_gentoo',` diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te index 06f9d332..9ea1bdad 100644 --- a/policy/modules/contrib/webalizer.te +++ b/policy/modules/contrib/webalizer.te @@ -1,4 +1,4 @@ -policy_module(webalizer, 1.14.0) +policy_module(webalizer, 1.14.1) ######################################## # @@ -16,6 +16,9 @@ role webalizer_roles types webalizer_t; type webalizer_etc_t; files_config_file(webalizer_etc_t) +type webalizer_log_t; +logging_log_file(webalizer_log_t) + type webalizer_tmp_t; files_tmp_file(webalizer_tmp_t) @@ -37,6 +40,9 @@ allow webalizer_t self:tcp_socket { accept listen }; allow webalizer_t webalizer_etc_t:file read_file_perms; +manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) +manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t) + manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t) files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })