[refpolicy] [PATCH refpolicy] add capability2:syslog perm

From: serue@us.ibm.com (Serge E. Hallyn)
To: refpolicy@oss.tresys.com
Subject: [refpolicy] [PATCH refpolicy] add capability2:syslog perm
Date: Fri, 12 Mar 2010 14:58:58 -0600	[thread overview]
Message-ID: <20100312205858.GB1557@us.ibm.com> (raw)
In-Reply-To: <20100312205537.GA1091@us.ibm.com>

CAP_SYSLOG is (hopefully) being split out from CAP_SYS_ADMIN.  This
patch adds capability2:syslog to the access vectors, and adds the
perm to a few domains which look like they'll need it.

This patch is just advisory right now - please do not apply until/unless
the corresponding kernel patch is accepted :)

Signed-off-by: Serge E. Hallyn <serue@us.ibm.com>
Cc: refpolicy at oss.tresys.com
Cc: "Christopher J. PeBenito" <cpebenito@tresys.com>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
---
 policy/flask/access_vectors      |    1 +
 policy/modules/admin/dmesg.te    |    1 +
 policy/modules/system/init.te    |    2 ++
 policy/modules/system/logging.te |    2 ++
 4 files changed, 6 insertions(+), 0 deletions(-)

diff --git a/policy/flask/access_vectors b/policy/flask/access_vectors
index 6760c95..6e7af2c 100644
--- a/policy/flask/access_vectors
+++ b/policy/flask/access_vectors
@@ -428,6 +428,7 @@ class capability2
 {
 	mac_override	# unused by SELinux
 	mac_admin	# unused by SELinux
+	syslog		# used to be part of sys_admin
 }
 
 #
diff --git a/policy/modules/admin/dmesg.te b/policy/modules/admin/dmesg.te
index 36033f7..edc6aa6 100644
--- a/policy/modules/admin/dmesg.te
+++ b/policy/modules/admin/dmesg.te
@@ -16,6 +16,7 @@ init_system_domain(dmesg_t, dmesg_exec_t)
 #
 
 allow dmesg_t self:capability sys_admin;
+allow dmesg_t self:capability2 syslog;
 dontaudit dmesg_t self:capability sys_tty_config;
 
 allow dmesg_t self:process signal_perms;
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 6f5dc89..f9ae18e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -203,6 +203,7 @@ optional_policy(`
 
 allow initrc_t self:process { getpgid setsched setpgid setrlimit getsched };
 allow initrc_t self:capability ~{ sys_admin sys_module };
+allow initrc_t self:capability2 syslog;
 dontaudit initrc_t self:capability sys_module; # sysctl is triggering this
 allow initrc_t self:passwd rootok;
 
@@ -445,6 +446,7 @@ ifdef(`distro_gentoo',`
 ifdef(`distro_redhat',`
 	# this is from kmodule, which should get its own policy:
 	allow initrc_t self:capability sys_admin;
+	allow initrc_t self:capability2 syslog;
 
 	allow initrc_t self:process setfscreate;
 
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f6ba06c..7eb6bd8 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -268,6 +268,7 @@ sysnet_dns_name_resolve(audisp_remote_t)
 #
 
 allow klogd_t self:capability sys_admin;
+allow klogd_t self:capability2 syslog;
 dontaudit klogd_t self:capability { sys_resource sys_tty_config };
 allow klogd_t self:process signal_perms;
 
@@ -330,6 +331,7 @@ optional_policy(`
 # sys_admin for the integrated klog of syslog-ng and metalog
 # cjp: why net_admin!
 allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid };
+allow syslogd_t self:capability2 syslog;
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 # setrlimit for syslog-ng
-- 
1.6.0.6
