aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* rsyslog: add label for /var/empty/dev/logCorentin LABBE2023-02-131-0/+4
| | | | | | | | | | | | | | | | | | On gentoo, starting rsyslog give this: allow syslogd_t var_t:dir { add_name remove_name }; allow syslogd_t var_t:sock_file { create setattr unlink }; This is due to the following piece of code in configuration: """ Create an additional socket for the default chroot location (used by net-misc/openssh[hpn], see https://bugs.gentoo.org/490744) input(type="imuxsock" Socket="/var/empty/dev/log") """ So let's add correct label for this file Signed-off-by: Corentin LABBE <clabbe.montjoie@gmail.com> Signed-off-by: Kenton Groombridge <concord@gentoo.org>
* files/logging: move var_run_t filecontext to defining moduleChristian Göttsche2020-08-091-1/+0
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Remove obsolete gentoo specific ruleVilgot Fredenberg2020-02-151-4/+0
| | | | | | | | Looking at all audit versions in gentoo (2.8.5 to 2.6.4) every single one of them has `var/log/audit` as a directory and not as a file. Tested on gentoo. Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Rename *_var_run_t types to *_runtime_t.Chris PeBenito2019-12-161-13/+13
| | | | | Signed-off-by: Chris PeBenito <pebenito@ieee.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* Remove unescaped single dot from the policyNicolas Iooss2019-12-161-3/+3
| | | | | | | | | | | | | In a pattern, a dot can match any character, including slash. It makes sense when it is combined with ?, + or *, but makes little sense when left alone. Most of the time, the label was for file containing dots, where the dot was not escaped. A few times, the dot was really intended to match any character. In such case, [^/] better suits the intent. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org> Signed-off-by: Jason Zaman <perfinion@gentoo.org>
* label journald configuraiton files syslog_conf_tSugar, David2019-02-101-6/+8
| | | | | | | | | journald already runs as syslogd_t label the config files similarly to allow editing by domains that can edit syslog configuration files. Also added some missing '\' before dot in filenames. Signed-off-by: Dave Sugar <dsugar@tresys.com> Signed-off-by: Jason Zaman <jason@perfinion.com>
* Move the use of var_log_t from authlogin.fc to logging.fcJames Carter2018-04-221-0/+2
| | | | | | | | | The type var_log_t is actually declared in logging.te. Moved the file contexts to label dmesg and syslog files with the var_log_t type from authlogin.fc to logging.fc. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
* Label /etc/rsyslog.d as syslog_conf_tDavid Sugar2017-09-141-0/+1
| | | | | | | | | | | | | This is a minor update of the last attempt at this patch. Changes in .fc to label /etc/rsyslog.d(/.*)? as syslog_conf_t so all rsyslog config files are labeled syslog_conf_t (not just /etc/r?syslog.conf). Update .te file to allow rsyslog to read the directory now labeled syslog_conf_t (files of this type were already readable). Final (and new) change is in logging_admin_syslog interface so files_etc_filetrans now includes the optional filename so /etc/r?syslog.conf would be labeled correctly when created in etc_t. The overall goal of this patch is that a domain using the logging_admin_syslog is able to create/edit files in /etc/rsyslog.d and they get created as syslog_conf_t AND other files created in /etc (or other etc_t labeled directory) don't get created with the syslog_conf_t type as they are not necessarily syslog configuration files. Dave Sugar dsugar@tresys.com Signed-off-by: Dave Sugar <dsugar@tresys.com>
* Support systems with a single /usr/bin directoryNicolas Iooss2017-05-071-0/+12
| | | | | | | | | | | | | | | | | On systems such as Arch Linux, all programs which are usually located in /bin, /sbin, /usr/bin and /usr/sbin are present in /usr/bin and the other locations are symbolic links to this directory. With such a configuration, the file contexts which define types for files in /bin, /sbin and /usr/sbin need to be duplicated to provide definitions for /usr/bin/... As the "/bin vs. /usr/bin" part of the needed definitions has already been done with the "usr merge" patches, the next step consists in duplicating file contexts for /usr/sbin. This is what this patch does for all modules which are not in contrib. This is the second iteration of an idea I have previously posted on http://oss.tresys.com/pipermail/refpolicy/2017-March/009176.html
* remove /var/run file context leftoverscgzones2017-03-301-5/+3
|
* Systemd fixes from Russell Coker.Chris PeBenito2017-02-251-1/+4
|
* Create / to /usr equivalence for bin, sbin, and lib, from Russell Coker.Chris PeBenito2017-02-051-11/+0
|
* Add file contexts in /usr for /bin, /usr/sbin and /usr/libNicolas Iooss2017-01-021-0/+5
| | | | | | | Some policy modules define file contexts in /bin, /sbin and /lib without defining similar file contexts in the same directory under /usr. Add these missing file contexts when there are outside ifdef blocks.
* transition file contexts to /runcgzones2017-01-021-18/+18
| | | | | | Remove file context aliases and update file context paths to use the /run filesystem path. Add backward compatibility file context alias for /var/run using applications like https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=783321 Lock files are still seated at /var/lock
* Systemd units from Russell Coker.Chris PeBenito2016-08-141-0/+1
|
* Add systemd units for core refpolicy services.Chris PeBenito2015-10-261-0/+2
| | | | | | | Only for services that already have a named init script. Add rules to init_startstop_service(), with conditional arg until all of refpolicy-contrib callers are updated.
* Add supporting rules for domains tightly-coupled with systemd.Chris PeBenito2015-10-261-0/+1
|
* Reintroduce refpolicy quircks as merging becomes difficult otherwiseSven Vermeulen2014-09-131-5/+5
|
* Whitespace change in logging.fc.Chris PeBenito2014-09-131-3/+3
|
* Label systemd-journald files and directoriesNicolas Iooss2014-09-131-0/+7
|
* Label syslog-ng.pid as syslogd_var_run_tNicolas Iooss2014-04-211-0/+2
|
* Add fcontext for rsyslog pidfileLaurent Bigonville2014-02-011-0/+1
|
* Support /var/run/syslog-ng.* generallySven Vermeulen2013-10-211-2/+1
| | | | Gentoo uses syslog-ng.ctl and others, so generalize the pattern.
* Remove generic log label for cron locationSven Vermeulen2012-11-121-1/+0
| | | | | | | | | The /var/log/cron[^/]* line in the context definition takes higher precedence than the /var/log/cron.* line in the cron.fc file. As a result, when /var/log/cron.log is created it gets relabeled to var_log_t instead of staying with the cron_log_t type it should be. Removing the line so that the definitions in cron.log are used.
* Remove var_log_t file context specDominick Grift2012-10-021-1/+0
| | | | | | | The /var/cfengine/output location will be labeled in the forthcoming cfengine policy module that will be ported from Fedora Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
* Have syslog-ng.persist label survive relabelingSven Vermeulen2012-08-291-1/+1
| | | | | | | | | | | Syslog-ng already holds a filetrans when it writes files in the var_lib_t resources, causing the files to be labeled syslogd_var_lib_t. One of these files is the /var/lib/misc/syslog-ng.persist file. However, because no file context was defined for this file, a system-wide relabeling caused it to be turned back into var_lib_t. This fixes the context back to syslogd_var_lib_t.
* Pushing 2.20120215 (current version)Sven Vermeulen2012-04-211-0/+77