From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 836AF1395E2 for ; Thu, 8 Dec 2016 05:03:50 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id BD19FE0DF8; Thu, 8 Dec 2016 05:03:49 +0000 (UTC) Received: from smtp.gentoo.org (smtp.gentoo.org [140.211.166.183]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 94C0CE0DF2 for ; Thu, 8 Dec 2016 05:03:49 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id B004734161D for ; Thu, 8 Dec 2016 05:03:48 +0000 (UTC) Received: from localhost.localdomain (localhost [127.0.0.1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 53FFC24B6 for ; Thu, 8 Dec 2016 05:03:47 +0000 (UTC) From: "Jason Zaman" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jason Zaman" Message-ID: <1481171799.8a244682cdb051e2a700155c49e9217baee65b0e.perfinion@gentoo> Subject: [gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/ X-VCS-Repository: proj/hardened-refpolicy X-VCS-Files: policy/modules/system/logging.te X-VCS-Directories: policy/modules/system/ X-VCS-Committer: perfinion X-VCS-Committer-Name: Jason Zaman X-VCS-Revision: 8a244682cdb051e2a700155c49e9217baee65b0e X-VCS-Branch: next Date: Thu, 8 Dec 2016 05:03:47 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Archives-Salt: 43af61f2-4889-4dd6-ac06-e79b7260e0ac X-Archives-Hash: e470e56c45c8e780c592c0513cf4e606 Message-ID: <20161208050347._Ns53CMN0bh-sK0vASZY3U5RfslZX16y_9xUF0YLkhA@z> commit: 8a244682cdb051e2a700155c49e9217baee65b0e Author: cgzones googlemail com> AuthorDate: Sun Dec 4 16:42:52 2016 +0000 Commit: Jason Zaman gentoo org> CommitDate: Thu Dec 8 04:36:39 2016 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=8a244682 fix syslogd audits policy/modules/system/logging.te | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 96ffbcd..a9fbf1b 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -372,7 +372,7 @@ optional_policy(` # sys_nice for rsyslog # cjp: why net_admin! allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid }; -dontaudit syslogd_t self:capability sys_tty_config; +dontaudit syslogd_t self:capability { sys_tty_config sys_ptrace }; # setpgid for metalog # setrlimit for syslog-ng # getsched for syslog-ng @@ -456,6 +456,7 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t) dev_filetrans(syslogd_t, devlog_t, sock_file) dev_read_sysfs(syslogd_t) +dev_read_urand(syslogd_t) # Allow access to /dev/kmsg for journald dev_rw_kmsg(syslogd_t) @@ -498,7 +499,10 @@ userdom_dontaudit_use_unpriv_user_fds(syslogd_t) userdom_dontaudit_search_user_home_dirs(syslogd_t) ifdef(`init_systemd',` + # systemd-journald permissions + allow syslogd_t self:capability { chown setuid setgid }; + allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write }; kernel_use_fds(syslogd_t) kernel_getattr_dgram_sockets(syslogd_t)