* [refpolicy] [PATCH v2] systemd: Add support for --log-target
@ 2016-03-31 7:40 Dominick Grift
2016-03-31 12:32 ` Christopher J. PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Dominick Grift @ 2016-03-31 7:40 UTC (permalink / raw)
To: refpolicy
https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=
see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22
v2: Add comment about dontaudit rule
Signed-off-by: Dominick Grift <dac.override@gmail.com>
---
policy/modules/system/systemd.if | 19 +++++++++++++++++
policy/modules/system/systemd.te | 44 +++++++++++++++++++++++++++-------------
2 files changed, 49 insertions(+), 14 deletions(-)
diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
index 3cd6670..705cbaa 100644
--- a/policy/modules/system/systemd.if
+++ b/policy/modules/system/systemd.if
@@ -2,6 +2,25 @@
######################################
## <summary>
+## Make the specified type usable as an
+## log parse environment type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Type to be used as a log parse environment type.
+## </summary>
+## </param>
+#
+interface(`systemd_log_parse_environment',`
+ gen_require(`
+ attribute systemd_log_parse_env_type;
+ ')
+
+ typeattribute $1 systemd_log_parse_env_type;
+')
+
+######################################
+## <summary>
## Read systemd_login PID files.
## </summary>
## <param name="domain">
diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
index 60a75fa..6d40952 100644
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
## </desc>
gen_tunable(systemd_tmpfiles_manage_all, false)
+attribute systemd_log_parse_env_type;
+
type systemd_activate_t;
type systemd_activate_exec_t;
init_system_domain(systemd_activate_t, systemd_activate_exec_t)
@@ -113,16 +115,33 @@ init_unit_file(power_unit_t)
######################################
#
+# systemd log parse enviroment
+#
+
+# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
+dontaudit systemd_log_parse_env_type self:capability net_admin;
+
+kernel_read_system_state(systemd_log_parse_env_type)
+
+dev_write_kmsg(systemd_log_parse_env_type)
+
+term_use_console(systemd_log_parse_env_type)
+
+init_read_state(systemd_log_parse_env_type)
+
+logging_send_syslog_msg(systemd_log_parse_env_type)
+
+######################################
+#
# Cgroups local policy
#
kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
+kernel_dgram_send(systemd_cgroups_t)
init_stream_connect(systemd_cgroups_t)
-logging_send_syslog_msg(systemd_cgroups_t)
-
-kernel_dgram_send(systemd_cgroups_t)
+systemd_log_parse_environment(systemd_cgroups_t)
#######################################
#
@@ -133,10 +152,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
files_read_etc_files(systemd_locale_t)
-logging_send_syslog_msg(systemd_locale_t)
-
seutil_read_file_contexts(systemd_locale_t)
+systemd_log_parse_environment(systemd_locale_t)
+
optional_policy(`
dbus_connect_system_bus(systemd_locale_t)
dbus_system_bus_client(systemd_locale_t)
@@ -151,10 +170,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
files_read_etc_files(systemd_hostnamed_t)
-logging_send_syslog_msg(systemd_hostnamed_t)
-
seutil_read_file_contexts(systemd_hostnamed_t)
+systemd_log_parse_environment(systemd_hostnamed_t)
+
optional_policy(`
dbus_system_bus_client(systemd_hostnamed_t)
dbus_connect_system_bus(systemd_hostnamed_t)
@@ -207,13 +226,10 @@ init_start_all_units(systemd_logind_t)
init_stop_all_units(systemd_logind_t)
init_service_status(systemd_logind_t)
init_service_start(systemd_logind_t)
-# This is for reading /proc/1/cgroup
-init_read_state(systemd_logind_t)
locallogin_read_state(systemd_logind_t)
-logging_send_syslog_msg(systemd_logind_t)
-
+systemd_log_parse_environment(systemd_logind_t)
systemd_start_power_units(systemd_logind_t)
udev_read_db(systemd_logind_t)
@@ -234,7 +250,7 @@ optional_policy(`
allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
-logging_send_syslog_msg(systemd_sessions_t)
+systemd_log_parse_environment(systemd_sessions_t)
#########################################
#
@@ -260,10 +276,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
-logging_send_syslog_msg(systemd_tmpfiles_t)
-
seutil_read_file_contexts(systemd_tmpfiles_t)
+systemd_log_parse_environment(systemd_tmpfiles_t)
+
tunable_policy(`systemd_tmpfiles_manage_all',`
# systemd-tmpfiles can be configured to manage anything.
# have a last-resort option for users to do this.
--
2.5.5
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH v2] systemd: Add support for --log-target
2016-03-31 7:40 [refpolicy] [PATCH v2] systemd: Add support for --log-target Dominick Grift
@ 2016-03-31 12:32 ` Christopher J. PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Christopher J. PeBenito @ 2016-03-31 12:32 UTC (permalink / raw)
To: refpolicy
On 3/31/2016 3:40 AM, Dominick Grift wrote:
> https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target=
>
> see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22
>
> v2: Add comment about dontaudit rule
Merged.
> Signed-off-by: Dominick Grift <dac.override@gmail.com>
> ---
> policy/modules/system/systemd.if | 19 +++++++++++++++++
> policy/modules/system/systemd.te | 44 +++++++++++++++++++++++++++-------------
> 2 files changed, 49 insertions(+), 14 deletions(-)
>
> diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if
> index 3cd6670..705cbaa 100644
> --- a/policy/modules/system/systemd.if
> +++ b/policy/modules/system/systemd.if
> @@ -2,6 +2,25 @@
>
> ######################################
> ## <summary>
> +## Make the specified type usable as an
> +## log parse environment type.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Type to be used as a log parse environment type.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_log_parse_environment',`
> + gen_require(`
> + attribute systemd_log_parse_env_type;
> + ')
> +
> + typeattribute $1 systemd_log_parse_env_type;
> +')
> +
> +######################################
> +## <summary>
> ## Read systemd_login PID files.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
> index 60a75fa..6d40952 100644
> --- a/policy/modules/system/systemd.te
> +++ b/policy/modules/system/systemd.te
> @@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3)
> ## </desc>
> gen_tunable(systemd_tmpfiles_manage_all, false)
>
> +attribute systemd_log_parse_env_type;
> +
> type systemd_activate_t;
> type systemd_activate_exec_t;
> init_system_domain(systemd_activate_t, systemd_activate_exec_t)
> @@ -113,16 +115,33 @@ init_unit_file(power_unit_t)
>
> ######################################
> #
> +# systemd log parse enviroment
> +#
> +
> +# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function)
> +dontaudit systemd_log_parse_env_type self:capability net_admin;
> +
> +kernel_read_system_state(systemd_log_parse_env_type)
> +
> +dev_write_kmsg(systemd_log_parse_env_type)
> +
> +term_use_console(systemd_log_parse_env_type)
> +
> +init_read_state(systemd_log_parse_env_type)
> +
> +logging_send_syslog_msg(systemd_log_parse_env_type)
> +
> +######################################
> +#
> # Cgroups local policy
> #
>
> kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t)
> +kernel_dgram_send(systemd_cgroups_t)
>
> init_stream_connect(systemd_cgroups_t)
>
> -logging_send_syslog_msg(systemd_cgroups_t)
> -
> -kernel_dgram_send(systemd_cgroups_t)
> +systemd_log_parse_environment(systemd_cgroups_t)
>
> #######################################
> #
> @@ -133,10 +152,10 @@ kernel_read_kernel_sysctls(systemd_locale_t)
>
> files_read_etc_files(systemd_locale_t)
>
> -logging_send_syslog_msg(systemd_locale_t)
> -
> seutil_read_file_contexts(systemd_locale_t)
>
> +systemd_log_parse_environment(systemd_locale_t)
> +
> optional_policy(`
> dbus_connect_system_bus(systemd_locale_t)
> dbus_system_bus_client(systemd_locale_t)
> @@ -151,10 +170,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t)
>
> files_read_etc_files(systemd_hostnamed_t)
>
> -logging_send_syslog_msg(systemd_hostnamed_t)
> -
> seutil_read_file_contexts(systemd_hostnamed_t)
>
> +systemd_log_parse_environment(systemd_hostnamed_t)
> +
> optional_policy(`
> dbus_system_bus_client(systemd_hostnamed_t)
> dbus_connect_system_bus(systemd_hostnamed_t)
> @@ -207,13 +226,10 @@ init_start_all_units(systemd_logind_t)
> init_stop_all_units(systemd_logind_t)
> init_service_status(systemd_logind_t)
> init_service_start(systemd_logind_t)
> -# This is for reading /proc/1/cgroup
> -init_read_state(systemd_logind_t)
>
> locallogin_read_state(systemd_logind_t)
>
> -logging_send_syslog_msg(systemd_logind_t)
> -
> +systemd_log_parse_environment(systemd_logind_t)
> systemd_start_power_units(systemd_logind_t)
>
> udev_read_db(systemd_logind_t)
> @@ -234,7 +250,7 @@ optional_policy(`
> allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms;
> files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file)
>
> -logging_send_syslog_msg(systemd_sessions_t)
> +systemd_log_parse_environment(systemd_sessions_t)
>
> #########################################
> #
> @@ -260,10 +276,10 @@ auth_manage_login_records(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> -logging_send_syslog_msg(systemd_tmpfiles_t)
> -
> seutil_read_file_contexts(systemd_tmpfiles_t)
>
> +systemd_log_parse_environment(systemd_tmpfiles_t)
> +
> tunable_policy(`systemd_tmpfiles_manage_all',`
> # systemd-tmpfiles can be configured to manage anything.
> # have a last-resort option for users to do this.
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-03-31 12:32 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-31 7:40 [refpolicy] [PATCH v2] systemd: Add support for --log-target Dominick Grift
2016-03-31 12:32 ` Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.