* [refpolicy] [PATCH v2 0/4] Small set of updates
@ 2012-09-06 17:35 Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 1/4] Puppet uses mount output for verification Sven Vermeulen
` (3 more replies)
0 siblings, 4 replies; 10+ messages in thread
From: Sven Vermeulen @ 2012-09-06 17:35 UTC (permalink / raw)
To: refpolicy
This patchset contains a few smaller updates on the SELinux policies.
Changes since v1
----------------
- Drop ifdef in file context (not needed)
- Remove redundant call to files_rw_var_lib_dirs()
- Drop udev changes
Sven Vermeulen (4):
Puppet uses mount output for verification
Allow syslogd to create /var/lib/syslog and
/var/lib/misc/syslog-ng.persist
Gentoo's openrc does not require initrc_exec_t for runscripts anymore
Allow init scripts to read courier configuration
policy/modules/system/init.fc | 4 ----
policy/modules/system/init.te | 4 ++++
policy/modules/system/logging.fc | 2 ++
policy/modules/system/logging.te | 1 +
policy/modules/system/mount.te | 4 ++++
5 files changed, 11 insertions(+), 4 deletions(-)
--
1.7.8.6
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 1/4] Puppet uses mount output for verification
2012-09-06 17:35 [refpolicy] [PATCH v2 0/4] Small set of updates Sven Vermeulen
@ 2012-09-06 17:35 ` Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
` (2 subsequent siblings)
3 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2012-09-06 17:35 UTC (permalink / raw)
To: refpolicy
Puppet calls mount to obtain the list of mounted file systems, redirecting its
output to a temporary file (labeled puppet_tmp_t). This allows the mount domain
to write to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/mount.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 63931f6..4175ff7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -193,6 +193,10 @@ optional_policy(`
')
')
+optional_policy(`
+ puppet_rw_tmp(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
2012-09-06 17:35 [refpolicy] [PATCH v2 0/4] Small set of updates Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 1/4] Puppet uses mount output for verification Sven Vermeulen
@ 2012-09-06 17:35 ` Sven Vermeulen
2012-09-06 18:47 ` Dominick Grift
2012-09-07 12:34 ` Christopher J. PeBenito
2012-09-06 17:35 ` [refpolicy] [PATCH v2 3/4] Gentoo's openrc does not require initrc_exec_t for runscripts anymore Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 4/4] Allow init scripts to read courier configuration Sven Vermeulen
3 siblings, 2 replies; 10+ messages in thread
From: Sven Vermeulen @ 2012-09-06 17:35 UTC (permalink / raw)
To: refpolicy
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.
Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.
Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/logging.fc | 2 ++
policy/modules/system/logging.te | 1 +
2 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 02f4c97..f5b3f34 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -24,6 +24,7 @@
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -32,6 +33,7 @@ ifdef(`distro_suse', `
/var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
')
+
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0034021..2eca67c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -439,6 +439,7 @@ files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)
+files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 3/4] Gentoo's openrc does not require initrc_exec_t for runscripts anymore
2012-09-06 17:35 [refpolicy] [PATCH v2 0/4] Small set of updates Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 1/4] Puppet uses mount output for verification Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
@ 2012-09-06 17:35 ` Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 4/4] Allow init scripts to read courier configuration Sven Vermeulen
3 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2012-09-06 17:35 UTC (permalink / raw)
To: refpolicy
The Gentoo-specific runscripts in /sbin should not be marked as initrc_exec_t
anymore (just bin_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.fc | 4 ----
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 03e27db..9a4d3a7 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -35,10 +35,6 @@ ifdef(`distro_gentoo', `
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
-/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
#
--
1.7.8.6
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 4/4] Allow init scripts to read courier configuration
2012-09-06 17:35 [refpolicy] [PATCH v2 0/4] Small set of updates Sven Vermeulen
` (2 preceding siblings ...)
2012-09-06 17:35 ` [refpolicy] [PATCH v2 3/4] Gentoo's openrc does not require initrc_exec_t for runscripts anymore Sven Vermeulen
@ 2012-09-06 17:35 ` Sven Vermeulen
3 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2012-09-06 17:35 UTC (permalink / raw)
To: refpolicy
The courier-imap and courier-pop3 daemons are started by sourcing their
configuration files, and then invoking the daemons using the proper options. If
this is done through a specialized script, then init only needs to call this
script (where a proper transition occurs) but if the init script itself does
this, it needs to be able to read the configuration files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0a7eda5..32dd043 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -613,6 +613,10 @@ optional_policy(`
')
optional_policy(`
+ courier_read_config(initrc_t)
+')
+
+optional_policy(`
cpucontrol_stub(initrc_t)
dev_getattr_cpu_dev(initrc_t)
')
--
1.7.8.6
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
2012-09-06 17:35 ` [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
@ 2012-09-06 18:47 ` Dominick Grift
2012-09-06 19:15 ` Sven Vermeulen
2012-09-07 12:34 ` Christopher J. PeBenito
1 sibling, 1 reply; 10+ messages in thread
From: Dominick Grift @ 2012-09-06 18:47 UTC (permalink / raw)
To: refpolicy
On Thu, 2012-09-06 at 19:35 +0200, Sven Vermeulen wrote:
> If the /var/lib/syslog directory does not exist, then syslog-ng (running in
> syslogd_t) will attempt to create the directory.
> +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
Why file trans on a file?
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
2012-09-06 18:47 ` Dominick Grift
@ 2012-09-06 19:15 ` Sven Vermeulen
2012-09-06 19:23 ` Dominick Grift
2012-09-06 19:37 ` Daniel J Walsh
0 siblings, 2 replies; 10+ messages in thread
From: Sven Vermeulen @ 2012-09-06 19:15 UTC (permalink / raw)
To: refpolicy
On Thu, Sep 06, 2012 at 08:47:18PM +0200, Dominick Grift wrote:
> On Thu, 2012-09-06 at 19:35 +0200, Sven Vermeulen wrote:
> > If the /var/lib/syslog directory does not exist, then syslog-ng (running in
> > syslogd_t) will attempt to create the directory.
>
> > +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
>
> Why file trans on a file?
You asked that the previous time as well (at least you're consistent ;-) and
I hoped a bit that the commit information (and the mail reply) was
sufficient.
The file transition is for /var/lib/misc/syslog-ng.persist (and
/var/lib/misc/syslog-ng.persist-) as the /var/lib/misc location itself is
still var_lib_t.
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
2012-09-06 19:15 ` Sven Vermeulen
@ 2012-09-06 19:23 ` Dominick Grift
2012-09-06 19:37 ` Daniel J Walsh
1 sibling, 0 replies; 10+ messages in thread
From: Dominick Grift @ 2012-09-06 19:23 UTC (permalink / raw)
To: refpolicy
On Thu, 2012-09-06 at 21:15 +0200, Sven Vermeulen wrote:
> On Thu, Sep 06, 2012 at 08:47:18PM +0200, Dominick Grift wrote:
> > On Thu, 2012-09-06 at 19:35 +0200, Sven Vermeulen wrote:
> > > If the /var/lib/syslog directory does not exist, then syslog-ng (running in
> > > syslogd_t) will attempt to create the directory.
> >
> > > +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
> >
> > Why file trans on a file?
>
> You asked that the previous time as well (at least you're consistent ;-) and
> I hoped a bit that the commit information (and the mail reply) was
> sufficient.
>
> The file transition is for /var/lib/misc/syslog-ng.persist (and
> /var/lib/misc/syslog-ng.persist-) as the /var/lib/misc location itself is
> still var_lib_t.
ok, that explains it. It was just a question :)
> Wkr,
> Sven Vermeulen
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
2012-09-06 19:15 ` Sven Vermeulen
2012-09-06 19:23 ` Dominick Grift
@ 2012-09-06 19:37 ` Daniel J Walsh
1 sibling, 0 replies; 10+ messages in thread
From: Daniel J Walsh @ 2012-09-06 19:37 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 09/06/2012 03:15 PM, Sven Vermeulen wrote:
> On Thu, Sep 06, 2012 at 08:47:18PM +0200, Dominick Grift wrote:
>> On Thu, 2012-09-06 at 19:35 +0200, Sven Vermeulen wrote:
>>> If the /var/lib/syslog directory does not exist, then syslog-ng
>>> (running in syslogd_t) will attempt to create the directory.
>>
>>> +files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
>>
>> Why file trans on a file?
>
> You asked that the previous time as well (at least you're consistent ;-)
> and I hoped a bit that the commit information (and the mail reply) was
> sufficient.
>
> The file transition is for /var/lib/misc/syslog-ng.persist (and
> /var/lib/misc/syslog-ng.persist-) as the /var/lib/misc location itself is
> still var_lib_t.
>
> Wkr, Sven Vermeulen _______________________________________________
> refpolicy mailing list refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>
/var/lib/misc should just die a horrible death. /var/lib itself is misc.
syslog should store its content under /var/lib/syslog.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBI+2YACgkQrlYvE4MpobOWeACcCXEHPxEf97w4i3MbYw+yb5aw
q3IAoNeTPB6MFENf0kOtlAbk3LXQCoox
=40Ns
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
2012-09-06 17:35 ` [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
2012-09-06 18:47 ` Dominick Grift
@ 2012-09-07 12:34 ` Christopher J. PeBenito
1 sibling, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2012-09-07 12:34 UTC (permalink / raw)
To: refpolicy
On 09/06/12 13:35, Sven Vermeulen wrote:
> diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
> index 02f4c97..f5b3f34 100644
> --- a/policy/modules/system/logging.fc
> +++ b/policy/modules/system/logging.fc
> @@ -32,6 +33,7 @@ ifdef(`distro_suse', `
> /var/lib/stunnel/dev/log -s gen_context(system_u:object_r:devlog_t,s0)
> ')
>
> +
> /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
> /var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
Unnecessary whitespace change.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2012-09-07 12:34 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-09-06 17:35 [refpolicy] [PATCH v2 0/4] Small set of updates Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 1/4] Puppet uses mount output for verification Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
2012-09-06 18:47 ` Dominick Grift
2012-09-06 19:15 ` Sven Vermeulen
2012-09-06 19:23 ` Dominick Grift
2012-09-06 19:37 ` Daniel J Walsh
2012-09-07 12:34 ` Christopher J. PeBenito
2012-09-06 17:35 ` [refpolicy] [PATCH v2 3/4] Gentoo's openrc does not require initrc_exec_t for runscripts anymore Sven Vermeulen
2012-09-06 17:35 ` [refpolicy] [PATCH v2 4/4] Allow init scripts to read courier configuration Sven Vermeulen
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.