[gentoo-commits] proj/hardened-refpolicy:next commit in: policy/modules/system/

Sun, 10 Sep 2017 07:04:18 -0700 

commit:     58da6a68ade7d4c28dfbc679d901af98573cf441
Author:     Jason Zaman <jason <AT> perfinion <DOT> com>
AuthorDate: Sun Sep 10 13:32:17 2017 +0000
Commit:     Jason Zaman <perfinion <AT> gentoo <DOT> org>
CommitDate: Sun Sep 10 13:32:17 2017 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=58da6a68

logging: audit map config files and fcontext for /etc/audisp

 policy/modules/system/logging.fc | 1 +
 policy/modules/system/logging.te | 5 +++++
 2 files changed, 6 insertions(+)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 9174f94b..55bb640b 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -3,6 +3,7 @@
 /etc/rsyslog.conf              gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/syslog.conf               gen_context(system_u:object_r:syslog_conf_t,s0)
 /etc/audit(/.*)?               
gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/etc/audisp(/.*)?              
gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
 /etc/rc\.d/init\.d/auditd --   
gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/rsyslog --  
gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
 

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 6d09c8bd..de255723 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -105,6 +105,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
 
 read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
 allow auditctl_t auditd_etc_t:dir list_dir_perms;
+allow auditctl_t auditd_etc_t:file map;
 
 # Needed for adding watches
 files_getattr_all_dirs(auditctl_t)
@@ -245,6 +246,10 @@ allow audisp_t self:unix_dgram_socket create_socket_perms;
 
 allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
 
+read_files_pattern(audisp_t, auditd_etc_t, auditd_etc_t)
+allow audisp_t auditd_etc_t:dir list_dir_perms;
+allow audisp_t auditd_etc_t:file map;
+
 manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
 files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)

Reply via email to