[refpolicy] [PATCH 0/2] Smaller updates on main policy modules

[refpolicy] [PATCH 0/2] Smaller updates on main policy modules

[Sven Vermeulen]

This patchset contains a few smaller updates on the main policy modules. The
first one (syslogger managing cron log files) requires the cron_manage_log
interface to be available in the cron module first (sent earlier as a patch).

Sven Vermeulen (2):
  Allow syslogger to manage cron log files
  Run ipset in iptables domain

 policy/modules/system/iptables.fc |    1 +
 policy/modules/system/logging.te  |    5 +++++
 2 files changed, 6 insertions(+), 0 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH 1/2] Allow syslogger to manage cron log files

[Sven Vermeulen]

Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/logging.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 72d67ad..091db87 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -490,6 +490,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_manage_log(syslogd_t)
+	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+')
+
+optional_policy(`
 	inn_manage_log(syslogd_t)
 ')
 
-- 
1.7.8.6

[refpolicy] [PATCH 2/2] Run ipset in iptables domain

[Sven Vermeulen]

The ipset command is used to manage ip sets, used by iptables for a more
flexible management of firewall rules. It has very similar requirements as
iptables for accessing and working with the Linux kernel, so marking ipset as
iptables_exec_t to have it run in the iptables domain.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/iptables.fc |    1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/iptables.fc b/policy/modules/system/iptables.fc
index 14cffd2..1b93eb7 100644
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -15,6 +15,7 @@
 /sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/usr/sbin/ipset			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-multi 	--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables-restore	--	gen_context(system_u:object_r:iptables_exec_t,s0)
-- 
1.7.8.6

[refpolicy] [PATCH 0/2] Smaller updates on main policy modules

[Christopher J. PeBenito]

On 11/10/12 11:52, Sven Vermeulen wrote:
> This patchset contains a few smaller updates on the main policy modules. The
> first one (syslogger managing cron log files) requires the cron_manage_log
> interface to be available in the cron module first (sent earlier as a patch).
> 
> Sven Vermeulen (2):
>   Allow syslogger to manage cron log files
>   Run ipset in iptables domain
> 
>  policy/modules/system/iptables.fc |    1 +
>  policy/modules/system/logging.te  |    5 +++++
>  2 files changed, 6 insertions(+), 0 deletions(-)
 
This set merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 0/2] Smaller updates on main policy modules

[Christopher J. PeBenito]

On 11/27/12 08:37, Christopher J. PeBenito wrote:
> On 11/10/12 11:52, Sven Vermeulen wrote:
>> This patchset contains a few smaller updates on the main policy modules. The
>> first one (syslogger managing cron log files) requires the cron_manage_log
>> interface to be available in the cron module first (sent earlier as a patch).
>>
>> Sven Vermeulen (2):
>>   Allow syslogger to manage cron log files
>>   Run ipset in iptables domain
>>
>>  policy/modules/system/iptables.fc |    1 +
>>  policy/modules/system/logging.te  |    5 +++++
>>  2 files changed, 6 insertions(+), 0 deletions(-)
>  
> This set merged.

Hit send too fast; only merged the iptables one.  Cron interface doesn't exist for use in logging.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/2] Allow syslogger to manage cron log files

[grift]

On Sat, 2012-11-10 at 17:52 +0100, Sven Vermeulen wrote:
> Some cron daemons, including vixie-cron, support using the system logger for
> handling their logging events. Hence we allow syslogd_t to manage the cron logs,
> and put a file transition in place for the system logger when it creates the
> cron.log file.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/logging.te |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 72d67ad..091db87 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -490,6 +490,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	cron_manage_log(syslogd_t)

There is a cron_manage_log_files()

> +	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
> +')
> +
> +optional_policy(`
>  	inn_manage_log(syslogd_t)
>  ')
>