aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChris PeBenito <pebenito@ieee.org>2017-04-18 21:06:48 -0400
committerJason Zaman <jason@perfinion.com>2017-04-30 22:17:44 +0800
commit2a45b491602c974a5bf42f37fa1dcee7cac8492a (patch)
treeed30e25166f5b2c28b56c68528e47b97791dee94
parentmisc daemons from Russell Coker. (diff)
downloadhardened-refpolicy-2a45b491.tar.gz
hardened-refpolicy-2a45b491.tar.bz2
hardened-refpolicy-2a45b491.zip
logging patches from Russell Coker
Patches for logrotate, webalizer, sysstat, and logwatch.
-rw-r--r--policy/modules/contrib/logrotate.te6
-rw-r--r--policy/modules/contrib/logwatch.te7
-rw-r--r--policy/modules/contrib/sysstat.te9
-rw-r--r--policy/modules/contrib/webalizer.te8
4 files changed, 24 insertions, 6 deletions
diff --git a/policy/modules/contrib/logrotate.te b/policy/modules/contrib/logrotate.te
index ec338fb68..1c63e097e 100644
--- a/policy/modules/contrib/logrotate.te
+++ b/policy/modules/contrib/logrotate.te
@@ -1,4 +1,4 @@
-policy_module(logrotate, 1.18.2)
+policy_module(logrotate, 1.18.3)
########################################
#
@@ -89,6 +89,7 @@ files_dontaudit_list_mnt(logrotate_t)
fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
+fs_getattr_tmpfs(logrotate_t)
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
@@ -102,8 +103,10 @@ auth_manage_login_records(logrotate_t)
auth_use_nsswitch(logrotate_t)
init_all_labeled_script_domtrans(logrotate_t)
+init_startstop_all_script_services(logrotate_t)
init_get_generic_units_status(logrotate_t)
init_get_all_units_status(logrotate_t)
+init_get_system_status(logrotate_t)
init_dbus_chat(logrotate_t)
init_stream_connect(logrotate_t)
init_manage_all_units(logrotate_t)
@@ -218,6 +221,7 @@ optional_policy(`
optional_policy(`
mysql_read_config(logrotate_t)
mysql_stream_connect(logrotate_t)
+ mysql_signal(logrotate_t)
')
optional_policy(`
diff --git a/policy/modules/contrib/logwatch.te b/policy/modules/contrib/logwatch.te
index 24f1c17b8..d2b54207b 100644
--- a/policy/modules/contrib/logwatch.te
+++ b/policy/modules/contrib/logwatch.te
@@ -1,4 +1,4 @@
-policy_module(logwatch, 1.14.0)
+policy_module(logwatch, 1.14.1)
#################################
#
@@ -160,6 +160,10 @@ optional_policy(`
')
optional_policy(`
+ raid_domtrans_mdadm(logwatch_t)
+')
+
+optional_policy(`
rpc_search_nfs_state_data(logwatch_t)
')
@@ -189,4 +193,5 @@ logging_read_all_logs(logwatch_mail_t)
optional_policy(`
cron_use_system_job_fds(logwatch_mail_t)
+ cron_rw_system_job_pipes(logwatch_mail_t)
')
diff --git a/policy/modules/contrib/sysstat.te b/policy/modules/contrib/sysstat.te
index ac249ac0d..deca783e9 100644
--- a/policy/modules/contrib/sysstat.te
+++ b/policy/modules/contrib/sysstat.te
@@ -1,4 +1,4 @@
-policy_module(sysstat, 1.9.0)
+policy_module(sysstat, 1.9.1)
########################################
#
@@ -24,8 +24,7 @@ allow sysstat_t self:capability { dac_override sys_admin sys_resource sys_tty_co
allow sysstat_t self:fifo_file rw_fifo_file_perms;
manage_dirs_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
-append_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
-create_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
+manage_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
setattr_files_pattern(sysstat_t, sysstat_log_t, sysstat_log_t)
manage_lnk_files_pattern(sysstat_t,sysstat_log_t,sysstat_log_t)
logging_log_filetrans(sysstat_t, sysstat_log_t, { file dir })
@@ -39,12 +38,15 @@ kernel_read_fs_sysctls(sysstat_t)
kernel_read_rpc_sysctls(sysstat_t)
corecmd_exec_bin(sysstat_t)
+corecmd_exec_shell(sysstat_t)
dev_read_sysfs(sysstat_t)
+dev_getattr_sysfs(sysstat_t)
dev_read_urand(sysstat_t)
files_search_var(sysstat_t)
files_read_etc_runtime_files(sysstat_t)
+files_search_all_mountpoints(sysstat_t)
fs_getattr_xattr_fs(sysstat_t)
fs_list_inotifyfs(sysstat_t)
@@ -66,6 +68,7 @@ userdom_dontaudit_list_user_home_dirs(sysstat_t)
optional_policy(`
cron_system_entry(sysstat_t, sysstat_exec_t)
+ cron_rw_tmp_files(sysstat_t)
')
ifdef(`distro_gentoo',`
diff --git a/policy/modules/contrib/webalizer.te b/policy/modules/contrib/webalizer.te
index 06f9d332b..9ea1bdad8 100644
--- a/policy/modules/contrib/webalizer.te
+++ b/policy/modules/contrib/webalizer.te
@@ -1,4 +1,4 @@
-policy_module(webalizer, 1.14.0)
+policy_module(webalizer, 1.14.1)
########################################
#
@@ -16,6 +16,9 @@ role webalizer_roles types webalizer_t;
type webalizer_etc_t;
files_config_file(webalizer_etc_t)
+type webalizer_log_t;
+logging_log_file(webalizer_log_t)
+
type webalizer_tmp_t;
files_tmp_file(webalizer_tmp_t)
@@ -37,6 +40,9 @@ allow webalizer_t self:tcp_socket { accept listen };
allow webalizer_t webalizer_etc_t:file read_file_perms;
+manage_dirs_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+manage_files_pattern(webalizer_t, webalizer_log_t, webalizer_log_t)
+
manage_dirs_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
manage_files_pattern(webalizer_t, webalizer_tmp_t, webalizer_tmp_t)
files_tmp_filetrans(webalizer_t, webalizer_tmp_t, { file dir })