* [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t
@ 2012-10-19 18:51 Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 1/3] Introduce logging_getattr_all_logs interface Sven Vermeulen
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-10-19 18:51 UTC (permalink / raw)
To: refpolicy
This set is to support changes on the contrib module (which will be sent out
later), mainly introducing two interfaces needed by fail2ban-client (fail2ban
module) and adding the sys_admin capability to ifconfig_t for flushing routing
cache.
Sven Vermeulen (3):
Introduce logging_getattr_all_logs interface
Introduce logging_search_all_log_dirs interface
Support flushing routing cache
policy/modules/system/logging.if | 39 ++++++++++++++++++++++++++++++++++-
policy/modules/system/sysnetwork.te | 2 +-
2 files changed, 39 insertions(+), 2 deletions(-)
--
1.7.8.6
^ permalink raw reply [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 1/3] Introduce logging_getattr_all_logs interface
2012-10-19 18:51 [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t Sven Vermeulen
@ 2012-10-19 18:51 ` Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 2/3] Introduce logging_search_all_log_dirs interface Sven Vermeulen
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-10-19 18:51 UTC (permalink / raw)
To: refpolicy
Support the logging_getattr_all_logs interface, which will be used by
applications responsible for reviewing the state of log files (without needing
to read them), such as the fail2ban-client application.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/logging.if | 20 +++++++++++++++++++-
1 files changed, 19 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 321bb13..be20dca 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -705,7 +705,7 @@ interface(`logging_setattr_all_log_dirs',`
########################################
## <summary>
-## Do not audit attempts to get the atttributes
+## Do not audit attempts to get the attributes
## of any log files.
## </summary>
## <param name="domain">
@@ -724,6 +724,24 @@ interface(`logging_dontaudit_getattr_all_logs',`
########################################
## <summary>
+## Read the atttributes of any log file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access
+## </summary>
+## </param>
+#
+interface(`logging_getattr_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:file getattr;
+')
+
+########################################
+## <summary>
## Append to all log files.
## </summary>
## <param name="domain">
--
1.7.8.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 2/3] Introduce logging_search_all_log_dirs interface
2012-10-19 18:51 [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 1/3] Introduce logging_getattr_all_logs interface Sven Vermeulen
@ 2012-10-19 18:51 ` Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 3/3] Support flushing routing cache Sven Vermeulen
2012-10-30 17:40 ` [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t Christopher J. PeBenito
3 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-10-19 18:51 UTC (permalink / raw)
To: refpolicy
Support the logging_search_all_log_dirs interface for applications such as
fail2ban-client, who scan through log directories.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/logging.if | 19 +++++++++++++++++++
1 files changed, 19 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index be20dca..6957993 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -686,6 +686,25 @@ interface(`logging_rw_generic_log_dirs',`
#######################################
## <summary>
+## Search through all log dirs.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_search_all_log_dirs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ allow $1 logfile:dir search_dir_perms;
+')
+
+#######################################
+## <summary>
## Set attributes on all log dirs.
## </summary>
## <param name="domain">
--
1.7.8.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 3/3] Support flushing routing cache
2012-10-19 18:51 [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 1/3] Introduce logging_getattr_all_logs interface Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 2/3] Introduce logging_search_all_log_dirs interface Sven Vermeulen
@ 2012-10-19 18:51 ` Sven Vermeulen
2012-10-30 17:40 ` [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t Christopher J. PeBenito
3 siblings, 0 replies; 5+ messages in thread
From: Sven Vermeulen @ 2012-10-19 18:51 UTC (permalink / raw)
To: refpolicy
To flush the routing cache, ifconfig_t (through the "ip" command) requires
sys_admin capability. If not:
~# ip route flush cache
Cannot flush routing cache
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/sysnetwork.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index d11e7c5..b2bf762 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -243,7 +243,7 @@ optional_policy(`
# Ifconfig local policy
#
-allow ifconfig_t self:capability { net_raw net_admin sys_tty_config };
+allow ifconfig_t self:capability { net_raw net_admin sys_admin sys_tty_config };
allow ifconfig_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow ifconfig_t self:fd use;
allow ifconfig_t self:fifo_file rw_fifo_file_perms;
--
1.7.8.6
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t
2012-10-19 18:51 [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t Sven Vermeulen
` (2 preceding siblings ...)
2012-10-19 18:51 ` [refpolicy] [PATCH 3/3] Support flushing routing cache Sven Vermeulen
@ 2012-10-30 17:40 ` Christopher J. PeBenito
3 siblings, 0 replies; 5+ messages in thread
From: Christopher J. PeBenito @ 2012-10-30 17:40 UTC (permalink / raw)
To: refpolicy
On 10/19/12 14:51, Sven Vermeulen wrote:
> This set is to support changes on the contrib module (which will be sent out
> later), mainly introducing two interfaces needed by fail2ban-client (fail2ban
> module) and adding the sys_admin capability to ifconfig_t for flushing routing
> cache.
>
> Sven Vermeulen (3):
> Introduce logging_getattr_all_logs interface
> Introduce logging_search_all_log_dirs interface
> Support flushing routing cache
>
> policy/modules/system/logging.if | 39 ++++++++++++++++++++++++++++++++++-
> policy/modules/system/sysnetwork.te | 2 +-
> 2 files changed, 39 insertions(+), 2 deletions(-)
This set merged. I renamed the second interface.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2012-10-30 17:40 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-10-19 18:51 [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 1/3] Introduce logging_getattr_all_logs interface Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 2/3] Introduce logging_search_all_log_dirs interface Sven Vermeulen
2012-10-19 18:51 ` [refpolicy] [PATCH 3/3] Support flushing routing cache Sven Vermeulen
2012-10-30 17:40 ` [refpolicy] [PATCH 0/3] Interfaces and small change to ifconfig_t Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.