SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] Add interface clamav_run
@ 2019-01-19 16:19 Sugar, David
  2019-01-19 16:19 ` [PATCH] Add interface to read journal files Sugar, David
  2019-01-20 21:34 ` [PATCH] Add interface clamav_run Chris PeBenito
  0 siblings, 2 replies; 4+ messages in thread
From: Sugar, David @ 2019-01-19 16:19 UTC (permalink / raw)
  To: selinux-refpolicy

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/services/clamav.if | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
index 7b6df49e..3639d769 100644
--- a/policy/modules/services/clamav.if
+++ b/policy/modules/services/clamav.if
@@ -19,6 +19,32 @@ interface(`clamav_domtrans',`
 	domtrans_pattern($1, clamd_exec_t, clamd_t)
 ')
 
+########################################
+## <summary>
+##	Execute clamd programs in the clamd
+##	domain and allow the specified role
+##	the clamd domain.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed to transition.
+##	</summary>
+## </param>
+## <param name="role">
+##	<summary>
+##	Role allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_run',`
+	gen_require(`
+		type clamd_t;
+	')
+
+	clamav_domtrans($1)
+	role $2 types clamd_t;
+')
+
 ########################################
 ## <summary>
 ##	Connect to clamd using a unix
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH] Add interface to read journal files
  2019-01-19 16:19 [PATCH] Add interface clamav_run Sugar, David
@ 2019-01-19 16:19 ` Sugar, David
  2019-01-20 21:34   ` Chris PeBenito
  2019-01-20 21:34 ` [PATCH] Add interface clamav_run Chris PeBenito
  1 sibling, 1 reply; 4+ messages in thread
From: Sugar, David @ 2019-01-19 16:19 UTC (permalink / raw)
  To: selinux-refpolicy

When using 'systemctl status <service>' it will show recent
log entries for the selected service.  These recent log
entries are coming from the journal.  These rules allow the
reading of the journal files.

type=AVC msg=audit(1547760159.435:864): avc:  denied  { read } for  pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:864): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
type=AVC msg=audit(1547760159.435:865): avc:  denied  { getattr } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { read } for  pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.435:866): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
type=AVC msg=audit(1547760159.436:867): avc:  denied  { map } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1

Signed-off-by: Dave Sugar <dsugar@tresys.com>
---
 policy/modules/system/systemd.if | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 740b3a92..c6d40b10 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -409,6 +409,24 @@ interface(`systemd_manage_journal_files',`
 	allow $1 systemd_journal_t:file map;
 ')
 
+########################################
+## <summary>
+##      Allow domain to read systemd_journal_t files
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain allowed access.
+##      </summary>
+## </param>
+#
+interface(`systemd_read_journal_files',`
+	gen_require(`
+		type systemd_journal_t;
+	')
+
+	list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
+	mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
+')
 
 ########################################
 ## <summary>
-- 
2.20.1


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Add interface clamav_run
  2019-01-19 16:19 [PATCH] Add interface clamav_run Sugar, David
  2019-01-19 16:19 ` [PATCH] Add interface to read journal files Sugar, David
@ 2019-01-20 21:34 ` Chris PeBenito
  1 sibling, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2019-01-20 21:34 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 1/19/19 11:19 AM, Sugar, David wrote:
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/services/clamav.if | 26 ++++++++++++++++++++++++++
>   1 file changed, 26 insertions(+)
> 
> diff --git a/policy/modules/services/clamav.if b/policy/modules/services/clamav.if
> index 7b6df49e..3639d769 100644
> --- a/policy/modules/services/clamav.if
> +++ b/policy/modules/services/clamav.if
> @@ -19,6 +19,32 @@ interface(`clamav_domtrans',`
>   	domtrans_pattern($1, clamd_exec_t, clamd_t)
>   ')
>   
> +########################################
> +## <summary>
> +##	Execute clamd programs in the clamd
> +##	domain and allow the specified role
> +##	the clamd domain.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed to transition.
> +##	</summary>
> +## </param>
> +## <param name="role">
> +##	<summary>
> +##	Role allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`clamav_run',`
> +	gen_require(`
> +		type clamd_t;
> +	')
> +
> +	clamav_domtrans($1)
> +	role $2 types clamd_t;
> +')
> +
>   ########################################
>   ## <summary>
>   ##	Connect to clamd using a unix

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] Add interface to read journal files
  2019-01-19 16:19 ` [PATCH] Add interface to read journal files Sugar, David
@ 2019-01-20 21:34   ` Chris PeBenito
  0 siblings, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2019-01-20 21:34 UTC (permalink / raw)
  To: Sugar, David, selinux-refpolicy

On 1/19/19 11:19 AM, Sugar, David wrote:
> When using 'systemctl status <service>' it will show recent
> log entries for the selected service.  These recent log
> entries are coming from the journal.  These rules allow the
> reading of the journal files.
> 
> type=AVC msg=audit(1547760159.435:864): avc:  denied  { read } for  pid=8823 comm="systemctl" name="journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547760159.435:864): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal" dev="dm-14" ino=112 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=dir permissive=1
> type=AVC msg=audit(1547760159.435:865): avc:  denied  { getattr } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547760159.435:866): avc:  denied  { read } for  pid=8823 comm="systemctl" name="system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547760159.435:866): avc:  denied  { open } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
> type=AVC msg=audit(1547760159.436:867): avc:  denied  { map } for  pid=8823 comm="systemctl" path="/var/log/journal/21cf24d493e746a9847730f8476e1dba/system.journal" dev="dm-14" ino=8388707 scontext=staff_u:staff_r:monitor_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_journal_t:s0 tclass=file permissive=1
> 
> Signed-off-by: Dave Sugar <dsugar@tresys.com>
> ---
>   policy/modules/system/systemd.if | 18 ++++++++++++++++++
>   1 file changed, 18 insertions(+)
> 
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 740b3a92..c6d40b10 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -409,6 +409,24 @@ interface(`systemd_manage_journal_files',`
>   	allow $1 systemd_journal_t:file map;
>   ')
>   
> +########################################
> +## <summary>
> +##      Allow domain to read systemd_journal_t files
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain allowed access.
> +##      </summary>
> +## </param>
> +#
> +interface(`systemd_read_journal_files',`
> +	gen_require(`
> +		type systemd_journal_t;
> +	')
> +
> +	list_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
> +	mmap_read_files_pattern($1, systemd_journal_t, systemd_journal_t)
> +')
>   
>   ########################################
>   ## <summary>

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-19 16:19 [PATCH] Add interface clamav_run Sugar, David
2019-01-19 16:19 ` [PATCH] Add interface to read journal files Sugar, David
2019-01-20 21:34   ` Chris PeBenito
2019-01-20 21:34 ` [PATCH] Add interface clamav_run Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox