Patch: selinux-policy: inconsistency: logging_send_syslog_msg is not optional policy.

Patch: selinux-policy: inconsistency: logging_send_syslog_msg is not optional policy.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 92 bytes --]

logging_send_syslog_msg is not optional policy.

-- 
Dominick Grift <domg472@gmail.com>

[-- Attachment #1.2: logging_send_syslog_msg_not_optional.patch --]
[-- Type: text/x-patch, Size: 6673 bytes --]

Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/apps/userhelper.if
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/apps/userhelper.if	(revision 2758)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/apps/userhelper.if	(working copy)
@@ -142,6 +142,8 @@
 	libs_use_ld_so($1_userhelper_t)
 	libs_use_shared_libs($1_userhelper_t)
 
+	logging_send_syslog_msg($1_userhelper_t)
+
 	miscfiles_read_localization($1_userhelper_t)
 
 	seutil_read_config($1_userhelper_t)
@@ -170,10 +172,6 @@
 	')
 
 	optional_policy(`
-		logging_send_syslog_msg($1_userhelper_t)
-	')
-
-	optional_policy(`
 		nis_use_ypbind($1_userhelper_t)
 	')
 
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/apps/lockdev.if
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/apps/lockdev.if	(revision 2758)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/apps/lockdev.if	(working copy)
@@ -75,8 +75,4 @@
 	logging_send_syslog_msg($1_lockdev_t)
 
 	userdom_use_user_terminals($1, $1_lockdev_t)
-	
-	optional_policy(`
-		logging_send_syslog_msg($1_t)
-	')
 ')
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/razor.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/razor.te	(revision 2761)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/razor.te	(working copy)
@@ -51,12 +51,10 @@
 corenet_tcp_connect_razor_port(razor_t)
 corenet_sendrecv_razor_client_packets(razor_t)
 
+logging_send_syslog_msg(razor_t)
+
 sysnet_read_config(razor_t)
 
 optional_policy(`
-	logging_send_syslog_msg(razor_t)
-')
-
-optional_policy(`
 	nscd_socket_use(razor_t)
 ')
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/pyzor.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/pyzor.te	(revision 2761)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/pyzor.te	(working copy)
@@ -127,12 +127,10 @@
 
 miscfiles_read_localization(pyzord_t)
 
+logging_send_syslog_msg(pyzord_t)
+
 mta_manage_spool(pyzord_t)
 
 # Do not audit attempts to access /root.
 staff_dontaudit_search_home_dirs(pyzord_t)
 sysadm_dontaudit_search_home_dirs(pyzord_t)
-
-optional_policy(`
-	logging_send_syslog_msg(pyzord_t)
-')
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/lpd.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/lpd.te	(revision 2761)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/lpd.te	(working copy)
@@ -101,6 +101,8 @@
 libs_use_ld_so(checkpc_t)
 libs_use_shared_libs(checkpc_t)
 
+logging_send_syslog_msg(checkpc_t)
+
 sysnet_read_config(checkpc_t)
 
 optional_policy(`
@@ -108,10 +110,6 @@
 ')
 
 optional_policy(`
-	logging_send_syslog_msg(checkpc_t)
-')
-
-optional_policy(`
 	nis_use_ypbind(checkpc_t)
 ')
 
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/dovecot.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/dovecot.te	(revision 2761)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/dovecot.te	(working copy)
@@ -176,6 +176,8 @@
 libs_use_ld_so(dovecot_auth_t)
 libs_use_shared_libs(dovecot_auth_t)
 
+logging_send_syslog_msg(dovecot_auth_t)
+
 miscfiles_read_localization(dovecot_auth_t)
 
 seutil_dontaudit_search_config(dovecot_auth_t)
@@ -183,7 +185,3 @@
 optional_policy(`
 	kerberos_use(dovecot_auth_t)
 ')
-
-optional_policy(`
-	logging_send_syslog_msg(dovecot_auth_t)
-')
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/lpd.if
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/lpd.if	(revision 2758)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/lpd.if	(working copy)
@@ -137,6 +137,8 @@
 	libs_use_ld_so($1_lpr_t)
 	libs_use_shared_libs($1_lpr_t)
 
+	logging_send_syslog_msg($1_lpr_t)
+
 	miscfiles_read_localization($1_lpr_t)
 
 	sysnet_read_config($1_lpr_t)
@@ -184,10 +186,6 @@
 	')
 
 	optional_policy(`
-		logging_send_syslog_msg($1_lpr_t)
-	')
-
-	optional_policy(`
 		nscd_socket_use($1_lpr_t)
 	')
 
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te	(revision 2761)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te	(working copy)
@@ -56,6 +56,8 @@
 libs_use_ld_so(sysstat_t)
 libs_use_shared_libs(sysstat_t)
 
+logging_send_syslog_msg(sysstat_t)
+
 locallogin_use_fds(sysstat_t)
 
 miscfiles_read_localization(sysstat_t)
@@ -65,7 +67,3 @@
 optional_policy(`
 	cron_system_entry(sysstat_t,sysstat_exec_t)
 ')
-
-optional_policy(`
-	logging_send_syslog_msg(sysstat_t)
-')
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.te	(revision 2761)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/amanda.te	(working copy)
@@ -156,11 +156,8 @@
 libs_use_ld_so(amanda_t)
 libs_use_shared_libs(amanda_t)
 
+logging_send_syslog_msg(amanda_t)
 
-optional_policy(`
-	logging_send_syslog_msg(amanda_t)
-')
-
 ########################################
 #
 # Amanda recover local policy
Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/usbmodules.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/usbmodules.te	(revision 2761)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/admin/usbmodules.te	(working copy)
@@ -36,6 +36,8 @@
 libs_use_ld_so(usbmodules_t)
 libs_use_shared_libs(usbmodules_t)
 
+logging_send_syslog_msg(usbmodules_t)
+
 miscfiles_read_hwdata(usbmodules_t)
 
 modutils_read_module_deps(usbmodules_t)
@@ -43,7 +45,3 @@
 optional_policy(`
 	hotplug_read_config(usbmodules_t)
 ')
-
-optional_policy(`
-	logging_send_syslog_msg(usbmodules_t)
-')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]

Re: Patch: selinux-policy: inconsistency: logging_send_syslog_msg is not optional policy.

[Daniel J Walsh]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dominick Grift wrote:
> logging_send_syslog_msg is not optional policy.
> 
> 
This should never be optional.  If there are optional_policy wrappers
around logging_send_syslog_msg it should be removed.

Shouldn't all of kernel/system be required, with the exception of
unconfined?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkh/a1MACgkQrlYvE4MpobMoVwCgq+HkcpZKa6OdiZRY/O9P67ek
VZYAn25SA0hcjxgqow1K2N4wGRVVLbep
=qEJu
-----END PGP SIGNATURE-----

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Patch: selinux-policy: inconsistency: logging_send_syslog_msg is not optional policy.

[Dominick Grift]

[-- Attachment #1.1: Type: text/plain, Size: 437 bytes --]

On Thu, 2008-07-17 at 11:55 -0400, Daniel J Walsh wrote:

> Shouldn't all of kernel/system be required, with the exception of
> unconfined?

That is true. You cannot unconditionally require something from a higher
layer.

The patch that i included has a style error in the sysstat module
however. logging_send_syslog_msg() should be under locallogin_use_fds()
i believe. Attached is a patch for sysstat to resolve this issue.

[-- Attachment #1.2: sysstat_logging_send_syslog_message_under_locallogin_use_fds.patch --]
[-- Type: text/x-patch, Size: 686 bytes --]

Index: /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te
===================================================================
--- /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te	(revision 2761)
+++ /home/domg472/Workspace/refpolicy_trunk/policy/modules/services/sysstat.te	(working copy)
@@ -58,6 +58,8 @@
 
 locallogin_use_fds(sysstat_t)
 
+logging_send_syslog_msg(sysstat_t)
+
 miscfiles_read_localization(sysstat_t)
 
 sysadm_dontaudit_list_home_dirs(sysstat_t)
@@ -65,7 +67,3 @@
 optional_policy(`
 	cron_system_entry(sysstat_t,sysstat_exec_t)
 ')
-
-optional_policy(`
-	logging_send_syslog_msg(sysstat_t)
-')

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 197 bytes --]