From mboxrd@z Thu Jan 1 00:00:00 1970 From: cpebenito@tresys.com (Christopher J. PeBenito) Date: Thu, 31 Mar 2016 08:32:39 -0400 Subject: [refpolicy] [PATCH v2] systemd: Add support for --log-target In-Reply-To: <1459410042-21388-1-git-send-email-dac.override@gmail.com> References: <1459410042-21388-1-git-send-email-dac.override@gmail.com> Message-ID: <56FD18E7.6030908@tresys.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 3/31/2016 3:40 AM, Dominick Grift wrote: > https://www.freedesktop.org/software/systemd/man/systemd.html#--log-target= > > see for discussion: https://github.com/TresysTechnology/refpolicy/pull/22 > > v2: Add comment about dontaudit rule Merged. > Signed-off-by: Dominick Grift > --- > policy/modules/system/systemd.if | 19 +++++++++++++++++ > policy/modules/system/systemd.te | 44 +++++++++++++++++++++++++++------------- > 2 files changed, 49 insertions(+), 14 deletions(-) > > diff --git a/policy/modules/system/systemd.if b/policy/modules/system/systemd.if > index 3cd6670..705cbaa 100644 > --- a/policy/modules/system/systemd.if > +++ b/policy/modules/system/systemd.if > @@ -2,6 +2,25 @@ > > ###################################### > ## > +## Make the specified type usable as an > +## log parse environment type. > +## > +## > +## > +## Type to be used as a log parse environment type. > +## > +## > +# > +interface(`systemd_log_parse_environment',` > + gen_require(` > + attribute systemd_log_parse_env_type; > + ') > + > + typeattribute $1 systemd_log_parse_env_type; > +') > + > +###################################### > +## > ## Read systemd_login PID files. > ## > ## > diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te > index 60a75fa..6d40952 100644 > --- a/policy/modules/system/systemd.te > +++ b/policy/modules/system/systemd.te > @@ -12,6 +12,8 @@ policy_module(systemd, 1.1.3) > ## > gen_tunable(systemd_tmpfiles_manage_all, false) > > +attribute systemd_log_parse_env_type; > + > type systemd_activate_t; > type systemd_activate_exec_t; > init_system_domain(systemd_activate_t, systemd_activate_exec_t) > @@ -113,16 +115,33 @@ init_unit_file(power_unit_t) > > ###################################### > # > +# systemd log parse enviroment > +# > + > +# Do not audit setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, ...) failure (e.g. when using create_log_socket() internal function) > +dontaudit systemd_log_parse_env_type self:capability net_admin; > + > +kernel_read_system_state(systemd_log_parse_env_type) > + > +dev_write_kmsg(systemd_log_parse_env_type) > + > +term_use_console(systemd_log_parse_env_type) > + > +init_read_state(systemd_log_parse_env_type) > + > +logging_send_syslog_msg(systemd_log_parse_env_type) > + > +###################################### > +# > # Cgroups local policy > # > > kernel_domtrans_to(systemd_cgroups_t, systemd_cgroups_exec_t) > +kernel_dgram_send(systemd_cgroups_t) > > init_stream_connect(systemd_cgroups_t) > > -logging_send_syslog_msg(systemd_cgroups_t) > - > -kernel_dgram_send(systemd_cgroups_t) > +systemd_log_parse_environment(systemd_cgroups_t) > > ####################################### > # > @@ -133,10 +152,10 @@ kernel_read_kernel_sysctls(systemd_locale_t) > > files_read_etc_files(systemd_locale_t) > > -logging_send_syslog_msg(systemd_locale_t) > - > seutil_read_file_contexts(systemd_locale_t) > > +systemd_log_parse_environment(systemd_locale_t) > + > optional_policy(` > dbus_connect_system_bus(systemd_locale_t) > dbus_system_bus_client(systemd_locale_t) > @@ -151,10 +170,10 @@ kernel_read_kernel_sysctls(systemd_hostnamed_t) > > files_read_etc_files(systemd_hostnamed_t) > > -logging_send_syslog_msg(systemd_hostnamed_t) > - > seutil_read_file_contexts(systemd_hostnamed_t) > > +systemd_log_parse_environment(systemd_hostnamed_t) > + > optional_policy(` > dbus_system_bus_client(systemd_hostnamed_t) > dbus_connect_system_bus(systemd_hostnamed_t) > @@ -207,13 +226,10 @@ init_start_all_units(systemd_logind_t) > init_stop_all_units(systemd_logind_t) > init_service_status(systemd_logind_t) > init_service_start(systemd_logind_t) > -# This is for reading /proc/1/cgroup > -init_read_state(systemd_logind_t) > > locallogin_read_state(systemd_logind_t) > > -logging_send_syslog_msg(systemd_logind_t) > - > +systemd_log_parse_environment(systemd_logind_t) > systemd_start_power_units(systemd_logind_t) > > udev_read_db(systemd_logind_t) > @@ -234,7 +250,7 @@ optional_policy(` > allow systemd_sessions_t systemd_sessions_var_run_t:file manage_file_perms; > files_pid_filetrans(systemd_sessions_t, systemd_sessions_var_run_t, file) > > -logging_send_syslog_msg(systemd_sessions_t) > +systemd_log_parse_environment(systemd_sessions_t) > > ######################################### > # > @@ -260,10 +276,10 @@ auth_manage_login_records(systemd_tmpfiles_t) > auth_relabel_login_records(systemd_tmpfiles_t) > auth_setattr_login_records(systemd_tmpfiles_t) > > -logging_send_syslog_msg(systemd_tmpfiles_t) > - > seutil_read_file_contexts(systemd_tmpfiles_t) > > +systemd_log_parse_environment(systemd_tmpfiles_t) > + > tunable_policy(`systemd_tmpfiles_manage_all',` > # systemd-tmpfiles can be configured to manage anything. > # have a last-resort option for users to do this. > -- Chris PeBenito Tresys Technology, LLC www.tresys.com | oss.tresys.com