* [refpolicy] [PATCH v3 0/4] Small set of updates
@ 2012-09-08 15:45 Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 1/4] Puppet uses mount output for verification Sven Vermeulen
` (4 more replies)
0 siblings, 5 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-09-08 15:45 UTC (permalink / raw)
To: refpolicy
This patchset contains a few smaller updates on the SELinux policies.
Changes since v2
----------------
- Drop unneeded whitespace
Sven Vermeulen (4):
Puppet uses mount output for verification
Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
Gentoo's openrc does not require initrc_exec_t for runscripts anymore
Allow init scripts to read courier configuration
policy/modules/system/init.fc | 4 ----
policy/modules/system/init.te | 4 ++++
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.te | 1 +
policy/modules/system/mount.te | 4 ++++
5 files changed, 10 insertions(+), 4 deletions(-)
--
1.7.8.6
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v3 1/4] Puppet uses mount output for verification
2012-09-08 15:45 [refpolicy] [PATCH v3 0/4] Small set of updates Sven Vermeulen
@ 2012-09-08 15:45 ` Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-09-08 15:45 UTC (permalink / raw)
To: refpolicy
Puppet calls mount to obtain the list of mounted file systems, redirecting its
output to a temporary file (labeled puppet_tmp_t). This allows the mount domain
to write to this resource.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/mount.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 63931f6..4175ff7 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -193,6 +193,10 @@ optional_policy(`
')
')
+optional_policy(`
+ puppet_rw_tmp(mount_t)
+')
+
# for kernel package installation
optional_policy(`
rpm_rw_pipes(mount_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v3 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
2012-09-08 15:45 [refpolicy] [PATCH v3 0/4] Small set of updates Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 1/4] Puppet uses mount output for verification Sven Vermeulen
@ 2012-09-08 15:45 ` Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 3/4] Gentoo's openrc does not require initrc_exec_t for runscripts anymore Sven Vermeulen
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-09-08 15:45 UTC (permalink / raw)
To: refpolicy
If the /var/lib/syslog directory does not exist, then syslog-ng (running in
syslogd_t) will attempt to create the directory.
Allow the syslogd_t domain to create the directory, and use an automatic file
transition towards syslogd_var_lib_t.
Also, the syslog-ng daemon uses a persistence file in
/var/lib/misc/syslog-ng.persist (and .persist- if it suspects a collision). As
/var/lib/misc is still a generic var_lib_t, we have the syslogd_t daemon write
its files as syslogd_var_lib_t therein.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.te | 1 +
2 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 02f4c97..e82cf6d 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -24,6 +24,7 @@
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/r?syslog(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 0034021..2eca67c 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -439,6 +439,7 @@ files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
files_read_kernel_symbol_table(syslogd_t)
+files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
fs_getattr_all_fs(syslogd_t)
fs_search_auto_mountpoints(syslogd_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v3 3/4] Gentoo's openrc does not require initrc_exec_t for runscripts anymore
2012-09-08 15:45 [refpolicy] [PATCH v3 0/4] Small set of updates Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 1/4] Puppet uses mount output for verification Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
@ 2012-09-08 15:45 ` Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 4/4] Allow init scripts to read courier configuration Sven Vermeulen
2012-09-17 14:00 ` [refpolicy] [PATCH v3 0/4] Small set of updates Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-09-08 15:45 UTC (permalink / raw)
To: refpolicy
The Gentoo-specific runscripts in /sbin should not be marked as initrc_exec_t
anymore (just bin_t).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.fc | 4 ----
1 files changed, 0 insertions(+), 4 deletions(-)
diff --git a/policy/modules/system/init.fc b/policy/modules/system/init.fc
index 03e27db..9a4d3a7 100644
--- a/policy/modules/system/init.fc
+++ b/policy/modules/system/init.fc
@@ -35,10 +35,6 @@ ifdef(`distro_gentoo', `
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
-/sbin/runscript -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/runsvcscript\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
-/sbin/svcinit -- gen_context(system_u:object_r:initrc_exec_t,s0)
')
#
--
1.7.8.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v3 4/4] Allow init scripts to read courier configuration
2012-09-08 15:45 [refpolicy] [PATCH v3 0/4] Small set of updates Sven Vermeulen
` (2 preceding siblings ...)
2012-09-08 15:45 ` [refpolicy] [PATCH v3 3/4] Gentoo's openrc does not require initrc_exec_t for runscripts anymore Sven Vermeulen
@ 2012-09-08 15:45 ` Sven Vermeulen
2012-09-17 14:00 ` [refpolicy] [PATCH v3 0/4] Small set of updates Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Sven Vermeulen @ 2012-09-08 15:45 UTC (permalink / raw)
To: refpolicy
The courier-imap and courier-pop3 daemons are started by sourcing their
configuration files, and then invoking the daemons using the proper options. If
this is done through a specialized script, then init only needs to call this
script (where a proper transition occurs) but if the init script itself does
this, it needs to be able to read the configuration files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
policy/modules/system/init.te | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 0a7eda5..32dd043 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -613,6 +613,10 @@ optional_policy(`
')
optional_policy(`
+ courier_read_config(initrc_t)
+')
+
+optional_policy(`
cpucontrol_stub(initrc_t)
dev_getattr_cpu_dev(initrc_t)
')
--
1.7.8.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH v3 0/4] Small set of updates
2012-09-08 15:45 [refpolicy] [PATCH v3 0/4] Small set of updates Sven Vermeulen
` (3 preceding siblings ...)
2012-09-08 15:45 ` [refpolicy] [PATCH v3 4/4] Allow init scripts to read courier configuration Sven Vermeulen
@ 2012-09-17 14:00 ` Christopher J. PeBenito
4 siblings, 0 replies; 6+ messages in thread
From: Christopher J. PeBenito @ 2012-09-17 14:00 UTC (permalink / raw)
To: refpolicy
On 09/08/12 11:45, Sven Vermeulen wrote:
> This patchset contains a few smaller updates on the SELinux policies.
>
> Changes since v2
> ----------------
>
> - Drop unneeded whitespace
>
> Sven Vermeulen (4):
> Puppet uses mount output for verification
> Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist
> Gentoo's openrc does not require initrc_exec_t for runscripts anymore
> Allow init scripts to read courier configuration
>
> policy/modules/system/init.fc | 4 ----
> policy/modules/system/init.te | 4 ++++
> policy/modules/system/logging.fc | 1 +
> policy/modules/system/logging.te | 1 +
> policy/modules/system/mount.te | 4 ++++
> 5 files changed, 10 insertions(+), 4 deletions(-)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-09-17 14:00 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-09-08 15:45 [refpolicy] [PATCH v3 0/4] Small set of updates Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 1/4] Puppet uses mount output for verification Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 2/4] Allow syslogd to create /var/lib/syslog and /var/lib/misc/syslog-ng.persist Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 3/4] Gentoo's openrc does not require initrc_exec_t for runscripts anymore Sven Vermeulen
2012-09-08 15:45 ` [refpolicy] [PATCH v3 4/4] Allow init scripts to read courier configuration Sven Vermeulen
2012-09-17 14:00 ` [refpolicy] [PATCH v3 0/4] Small set of updates Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.