From c37b427de8abb95b8788c4cb90177ad403e80cde Mon Sep 17 00:00:00 2001 From: Daniel J Walsh Date: Aug 29 2008 20:42:15 +0000 Subject: - Allow audit dispatcher to kill his children --- diff --git a/policy-20080710.patch b/policy-20080710.patch index dc18e51..e4e87bc 100644 --- a/policy-20080710.patch +++ b/policy-20080710.patch @@ -30027,18 +30027,17 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol +/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_script_exec_t,s0) diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/policy/modules/system/logging.if serefpolicy-3.5.5/policy/modules/system/logging.if --- nsaserefpolicy/policy/modules/system/logging.if 2008-08-25 09:12:31.000000000 -0400 -+++ serefpolicy-3.5.5/policy/modules/system/logging.if 2008-08-29 14:20:21.000000000 -0400 -@@ -281,7 +281,9 @@ ++++ serefpolicy-3.5.5/policy/modules/system/logging.if 2008-08-29 16:22:26.000000000 -0400 +@@ -281,7 +281,7 @@ role system_r types $1; domtrans_pattern(audisp_t, $2, $1) -+# Not sure if this is necessary? - allow $1 audisp_t:process signal; -+ allow audisp_t $1:process signal; +- allow $1 audisp_t:process signal; ++ allow audisp_t $1:process { sigkill sigstop signull signal } allow audisp_t $2:file getattr; allow $1 audisp_t:unix_stream_socket rw_socket_perms; -@@ -699,6 +701,8 @@ +@@ -699,6 +699,8 @@ files_search_var($1) manage_files_pattern($1,logfile,logfile) read_lnk_files_pattern($1,logfile,logfile) @@ -30047,7 +30046,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -803,6 +807,42 @@ +@@ -803,6 +805,42 @@ ######################################## ## @@ -30090,7 +30089,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ## All of the rules required to administrate ## the audit environment ## -@@ -827,6 +867,7 @@ +@@ -827,6 +865,7 @@ gen_require(` type auditd_t, auditd_etc_t, auditd_log_t; type auditd_var_run_t; @@ -30098,7 +30097,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 auditd_t:process { ptrace signal_perms }; -@@ -842,6 +883,13 @@ +@@ -842,6 +881,13 @@ manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) logging_run_auditctl($1, $2, $3) @@ -30112,7 +30111,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -862,6 +910,7 @@ +@@ -862,6 +908,7 @@ type syslogd_tmp_t, syslogd_var_lib_t; type syslogd_var_run_t, klogd_var_run_t; type klogd_tmp_t, var_log_t; @@ -30120,7 +30119,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') allow $1 syslogd_t:process { ptrace signal_perms }; -@@ -889,6 +938,12 @@ +@@ -889,6 +936,12 @@ manage_files_pattern($1, syslogd_var_run_t, syslogd_var_run_t) logging_manage_all_logs($1) @@ -30133,7 +30132,7 @@ diff -b -B --ignore-all-space --exclude-from=exclude -N -u -r nsaserefpolicy/pol ') ######################################## -@@ -915,5 +970,5 @@ +@@ -915,5 +968,5 @@ # interface(`logging_admin',` logging_admin_audit($1, $2, $3)