| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On gentoo, starting rsyslog give this:
allow syslogd_t var_t:dir { add_name remove_name };
allow syslogd_t var_t:sock_file { create setattr unlink };
This is due to the following piece of code in configuration:
"""
Create an additional socket for the default chroot location
(used by net-misc/openssh[hpn], see https://bugs.gentoo.org/490744)
input(type="imuxsock" Socket="/var/empty/dev/log")
"""
So let's add correct label for this file
Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com>
Signed-off-by: Kenton Groombridge <concord@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
| |
Looking at all audit versions in gentoo (2.8.5 to 2.6.4) every single one of them has `var/log/audit` as a directory and not as a file.
Tested on gentoo.
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
| |
Signed-off-by: Chris PeBenito <pebenito@ieee.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In a pattern, a dot can match any character, including slash. It makes
sense when it is combined with ?, + or *, but makes little sense when
left alone.
Most of the time, the label was for file containing dots, where the dot
was not escaped. A few times, the dot was really intended to match any
character. In such case, [^/] better suits the intent.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Jason Zaman <perfinion@gentoo.org>
|
|
|
|
|
|
|
|
|
| |
journald already runs as syslogd_t label the config files similarly to
allow editing by domains that can edit syslog configuration files.
Also added some missing '\' before dot in filenames.
Signed-off-by: Dave Sugar <dsugar@tresys.com>
Signed-off-by: Jason Zaman <jason@perfinion.com>
|
|
|
|
|
|
|
|
|
| |
The type var_log_t is actually declared in logging.te.
Moved the file contexts to label dmesg and syslog files with the
var_log_t type from authlogin.fc to logging.fc.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a minor update of the last attempt at this patch.
Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t.
The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files.
Dave Sugar
dsugar@tresys.com
Signed-off-by: Dave Sugar <dsugar@tresys.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On systems such as Arch Linux, all programs which are usually located in
/bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the
other locations are symbolic links to this directory. With such a
configuration, the file contexts which define types for files in
/bin, /sbin and /usr/sbin need to be duplicated to provide definitions
for /usr/bin/...
As the "/bin vs. /usr/bin" part of the needed definitions has already
been done with the "usr merge" patches, the next step consists in
duplicating file contexts for /usr/sbin. This is what this patch does
for all modules which are not in contrib.
This is the second iteration of an idea I have previously posted on
http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
| |
Some policy modules define file contexts in /bin, /sbin and /lib without
defining similar file contexts in the same directory under /usr.
Add these missing file contexts when there are outside ifdef blocks.
|
|
|
|
|
|
| |
Remove file context aliases and update file context paths to use the /run filesystem path.
Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321
Lock files are still seated at /var/lock
|
| |
|
|
|
|
|
|
|
| |
Only for services that already have a named init script.
Add rules to init_startstop_service(), with conditional arg until
all of refpolicy-contrib callers are updated.
|
| |
|
| |
|
| |
|
| |
|
| |
|
| |
|
|
|
|
| |
Gentoo uses syslog-ng.ctl and others, so generalize the pattern.
|
|
|
|
|
|
|
|
|
| |
The /var/log/cron[^/]* line in the context definition takes higher precedence
than the /var/log/cron.* line in the cron.fc file. As a result, when
/var/log/cron.log is created it gets relabeled to var_log_t instead of staying
with the cron_log_t type it should be.
Removing the line so that the definitions in cron.log are used.
|
|
|
|
|
|
|
| |
The /var/cfengine/output location will be labeled in the forthcoming
cfengine policy module that will be ported from Fedora
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
|
|
|
|
|
|
|
|
|
|
|
| |
Syslog-ng already holds a filetrans when it writes files in the var_lib_t
resources, causing the files to be labeled syslogd_var_lib_t.
One of these files is the /var/lib/misc/syslog-ng.persist file. However, because
no file context was defined for this file, a system-wide relabeling caused it to
be turned back into var_lib_t.
This fixes the context back to syslogd_var_lib_t.
|
|
|