commit: 58da6a68ade7d4c28dfbc679d901af98573cf441 Author: Jason Zaman <jason <AT> perfinion <DOT> com> AuthorDate: Sun Sep 10 13:32:17 2017 +0000 Commit: Jason Zaman <perfinion <AT> gentoo <DOT> org> CommitDate: Sun Sep 10 13:32:17 2017 +0000 URL: https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=58da6a68
logging: audit map config files and fcontext for /etc/audisp policy/modules/system/logging.fc | 1 + policy/modules/system/logging.te | 5 +++++ 2 files changed, 6 insertions(+) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 9174f94b..55bb640b 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -3,6 +3,7 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) +/etc/audisp(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index 6d09c8bd..de255723 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -105,6 +105,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) allow auditctl_t auditd_etc_t:dir list_dir_perms; +allow auditctl_t auditd_etc_t:file map; # Needed for adding watches files_getattr_all_dirs(auditctl_t) @@ -245,6 +246,10 @@ allow audisp_t self:unix_dgram_socket create_socket_perms; allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; +read_files_pattern(audisp_t, auditd_etc_t, auditd_etc_t) +allow audisp_t auditd_etc_t:dir list_dir_perms; +allow audisp_t auditd_etc_t:file map; + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)