diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te
index 8b01d87..2fa32be 100644
--- a/policy/modules/services/setroubleshoot.te
+++ b/policy/modules/services/setroubleshoot.te
@@ -1,5 +1,5 @@
-policy_module(setroubleshoot, 1.7.0)
+policy_module(setroubleshoot, 1.7.1)
########################################
#
@@ -98,7 +98,7 @@ miscfiles_read_localization(setroubleshootd_t)
locallogin_dontaudit_use_fds(setroubleshootd_t)
logging_send_syslog_msg(setroubleshootd_t)
-logging_stream_connect_auditd(setroubleshootd_t)
+logging_stream_connect_dispatcher(setroubleshootd_t)
seutil_read_config(setroubleshootd_t)
seutil_read_file_contexts(setroubleshootd_t)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index f5737fd..ba5542f 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -4,6 +4,8 @@
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
+/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
@@ -20,6 +22,7 @@
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
/var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
ifdef(`distro_suse', `
@@ -28,6 +31,7 @@ ifdef(`distro_suse', `
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
+/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
@@ -37,7 +41,7 @@ ifdef(`distro_suse', `
/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
-/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0)
ifndef(`distro_gentoo',`
/var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -48,7 +52,7 @@ ifdef(`distro_redhat',`
')
/var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
-/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0)
+/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0)
/var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0)
/var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 0a0163a..19b701b 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -213,12 +213,97 @@ interface(`logging_run_auditd',`
##
#
interface(`logging_stream_connect_auditd',`
+ refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.')
+ logging_stream_connect_dispatcher($1)
+')
+
+########################################
+##
+## Execute a domain transition to run the audit dispatcher.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`logging_domtrans_dispatcher',`
gen_require(`
- type auditd_t, auditd_var_run_t;
+ type audisp_t, audisp_exec_t;
+ ')
+
+ domtrans_pattern($1, audisp_exec_t, audisp_t)
+')
+
+########################################
+##
+## Signal the audit dispatcher.
+##
+##
+##
+## Domain allowed to transition.
+##
+##
+#
+interface(`logging_signal_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ ')
+
+ allow $1 audisp_t:process signal;
+')
+
+########################################
+##
+## Create a domain for processes
+## which can be started by the system audit dispatcher
+##
+##
+##
+## Type to be used as a domain.
+##
+##
+##
+##
+## Type of the program to be used as an entry point to this domain.
+##
+##
+#
+interface(`logging_dispatcher_domain',`
+ gen_require(`
+ type audisp_t;
+ role system_r;
+ ')
+
+ domain_type($1)
+ domain_entry_file($1, $2)
+
+ role system_r types $1;
+
+ domtrans_pattern(audisp_t, $2, $1)
+ allow $1 audisp_t:process signal;
+
+ allow audisp_t $2:file getattr;
+ allow $1 audisp_t:unix_stream_socket rw_socket_perms;
+')
+
+########################################
+##
+## Connect to the audit dispatcher over an unix stream socket.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_stream_connect_dispatcher',`
+ gen_require(`
+ type audisp_t, audisp_var_run_t;
')
files_search_pids($1)
- stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t)
+ stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t)
')
########################################
@@ -530,8 +615,7 @@ interface(`logging_append_all_logs',`
')
files_search_var($1)
- allow $1 var_log_t:dir list_dir_perms;
- allow $1 logfile:file { getattr append };
+ append_files_pattern($1, var_log_t, logfile)
')
########################################
@@ -579,6 +663,25 @@ interface(`logging_exec_all_logs',`
########################################
##
+## read/write to all log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_rw_all_logs',`
+ gen_require(`
+ attribute logfile;
+ ')
+
+ files_search_var($1)
+ rw_files_pattern($1, logfile, logfile)
+')
+
+########################################
+##
## Create, read, write, and delete all log files.
##
##
@@ -641,6 +744,24 @@ interface(`logging_write_generic_logs',`
########################################
##
+## Dontaudit Write generic log files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`logging_dontaudit_write_generic_logs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:file write;
+')
+
+########################################
+##
## Read and write generic log files.
##
##
@@ -690,6 +811,16 @@ interface(`logging_manage_generic_logs',`
## Domain allowed access.
##
##
+##
+##
+## User role allowed access.
+##
+##
+##
+##
+## User terminal type.
+##
+##
##
#
interface(`logging_admin_audit',`
@@ -709,6 +840,8 @@ interface(`logging_admin_audit',`
manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t)
manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t)
+
+ logging_run_auditctl($1, $2, $3)
')
########################################
@@ -768,9 +901,19 @@ interface(`logging_admin_syslog',`
## Domain allowed access.
##
##
+##
+##
+## User role allowed access.
+##
+##
+##
+##
+## User terminal type.
+##
+##
##
#
interface(`logging_admin',`
- logging_admin_audit($1)
+ logging_admin_audit($1, $2, $3)
logging_admin_syslog($1)
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index f5292e8..f346c28 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -1,5 +1,5 @@
-policy_module(logging, 1.11.1)
+policy_module(logging, 1.11.2)
########################################
#
@@ -27,6 +27,17 @@ init_daemon_domain(auditd_t,auditd_exec_t)
type auditd_var_run_t;
files_pid_file(auditd_var_run_t)
+type audisp_t;
+type audisp_exec_t;
+init_system_domain(audisp_t, audisp_exec_t)
+
+type audisp_var_run_t;
+files_pid_file(audisp_var_run_t)
+
+type audisp_remote_t;
+type audisp_remote_exec_t;
+logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t)
+
type devlog_t;
files_type(devlog_t)
mls_trusted_object(devlog_t)
@@ -62,7 +73,8 @@ logging_log_file(var_log_t)
files_mountpoint(var_log_t)
ifdef(`enable_mls',`
- init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh)
+ init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh)
+ init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh)
')
########################################
@@ -150,6 +162,8 @@ init_telinit(auditd_t)
logging_set_audit_parameters(auditd_t)
logging_send_syslog_msg(auditd_t)
+logging_domtrans_dispatcher(auditd_t)
+logging_signal_dispatcher(auditd_t)
libs_use_ld_so(auditd_t)
libs_use_shared_libs(auditd_t)
@@ -161,6 +175,8 @@ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ dire
seutil_dontaudit_read_config(auditd_t)
+sysnet_dns_name_resolve(auditd_t)
+
userdom_dontaudit_use_unpriv_user_fds(auditd_t)
sysadm_dontaudit_search_home_dirs(auditd_t)
@@ -172,6 +188,10 @@ ifdef(`distro_ubuntu',`
')
optional_policy(`
+ mta_send_mail(auditd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(auditd_t)
')
@@ -181,6 +201,60 @@ optional_policy(`
########################################
#
+# audit dispatcher local policy
+#
+
+allow audisp_t self:capability sys_nice;
+allow audisp_t self:process setsched;
+allow audisp_t self:fifo_file rw_file_perms;
+allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+allow audisp_t self:unix_dgram_socket create_socket_perms;
+
+allow audisp_t auditd_t:unix_stream_socket rw_file_perms;
+
+manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+
+corecmd_search_bin(audisp_t)
+
+domain_use_interactive_fds(audisp_t)
+
+files_read_etc_files(audisp_t)
+
+mls_file_write_all_levels(audisp_t)
+
+libs_use_ld_so(audisp_t)
+libs_use_shared_libs(audisp_t)
+
+logging_send_syslog_msg(audisp_t)
+
+miscfiles_read_localization(audisp_t)
+
+########################################
+#
+# Audit remote logger local policy
+#
+
+allow audisp_remote_t self:tcp_socket create_socket_perms;
+
+corenet_all_recvfrom_unlabeled(audisp_remote_t)
+corenet_all_recvfrom_netlabel(audisp_remote_t)
+corenet_tcp_sendrecv_all_if(audisp_remote_t)
+corenet_tcp_sendrecv_all_nodes(audisp_remote_t)
+
+files_read_etc_files(audisp_remote_t)
+
+libs_use_ld_so(audisp_remote_t)
+libs_use_shared_libs(audisp_remote_t)
+
+logging_send_syslog_msg(audisp_remote_t)
+
+miscfiles_read_localization(audisp_remote_t)
+
+sysnet_dns_name_resolve(audisp_remote_t)
+
+########################################
+#
# klogd local policy
#
@@ -253,7 +327,6 @@ allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_a
dontaudit syslogd_t self:capability sys_tty_config;
# setpgid for metalog
allow syslogd_t self:process { signal_perms setpgid };
-allow syslogd_t self:netlink_route_socket r_netlink_socket_perms;
# receive messages to be logged
allow syslogd_t self:unix_dgram_socket create_socket_perms;
allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
@@ -290,6 +363,7 @@ files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t)
files_pid_filetrans(syslogd_t,syslogd_var_run_t,file)
+kernel_read_system_state(syslogd_t)
kernel_read_kernel_sysctls(syslogd_t)
kernel_read_proc_symlinks(syslogd_t)
# Allow access to /proc/kmsg for syslog-ng
@@ -297,20 +371,6 @@ kernel_read_messages(syslogd_t)
kernel_clear_ring_buffer(syslogd_t)
kernel_change_ring_buffer_level(syslogd_t)
-dev_filetrans(syslogd_t,devlog_t,sock_file)
-dev_read_sysfs(syslogd_t)
-
-fs_search_auto_mountpoints(syslogd_t)
-
-term_write_console(syslogd_t)
-# Allow syslog to a terminal
-term_write_unallocated_ttys(syslogd_t)
-
-# for sending messages to logged in users
-init_read_utmp(syslogd_t)
-init_dontaudit_write_utmp(syslogd_t)
-term_write_all_user_ttys(syslogd_t)
-
corenet_all_recvfrom_unlabeled(syslogd_t)
corenet_all_recvfrom_netlabel(syslogd_t)
corenet_udp_sendrecv_all_if(syslogd_t)
@@ -328,22 +388,45 @@ corenet_tcp_connect_rsh_port(syslogd_t)
# Allow users to define additional syslog ports to connect to
corenet_tcp_bind_syslogd_port(syslogd_t)
corenet_tcp_connect_syslogd_port(syslogd_t)
+corenet_tcp_connect_postgresql_port(syslogd_t)
+corenet_tcp_connect_mysqld_port(syslogd_t)
# syslog-ng can send or receive logs
corenet_sendrecv_syslogd_client_packets(syslogd_t)
corenet_sendrecv_syslogd_server_packets(syslogd_t)
+corenet_sendrecv_postgresql_client_packets(syslogd_t)
+corenet_sendrecv_mysqld_client_packets(syslogd_t)
-fs_getattr_all_fs(syslogd_t)
-
-init_use_fds(syslogd_t)
+dev_filetrans(syslogd_t,devlog_t,sock_file)
+dev_read_sysfs(syslogd_t)
domain_use_interactive_fds(syslogd_t)
files_read_etc_files(syslogd_t)
+files_read_usr_files(syslogd_t)
files_read_var_files(syslogd_t)
files_read_etc_runtime_files(syslogd_t)
# /initrd is not umounted before minilog starts
files_dontaudit_search_isid_type_dirs(syslogd_t)
+files_read_kernel_symbol_table(syslogd_t)
+
+fs_getattr_all_fs(syslogd_t)
+fs_search_auto_mountpoints(syslogd_t)
+
+mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories
+
+term_write_console(syslogd_t)
+# Allow syslog to a terminal
+term_write_unallocated_ttys(syslogd_t)
+
+# for sending messages to logged in users
+init_read_utmp(syslogd_t)
+init_dontaudit_write_utmp(syslogd_t)
+term_write_all_user_ttys(syslogd_t)
+
+auth_use_nsswitch(syslogd_t)
+
+init_use_fds(syslogd_t)
libs_use_ld_so(syslogd_t)
libs_use_shared_libs(syslogd_t)
@@ -351,8 +434,6 @@ libs_use_shared_libs(syslogd_t)
# cjp: this doesnt make sense
logging_send_syslog_msg(syslogd_t)
-sysnet_read_config(syslogd_t)
-
miscfiles_read_localization(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
@@ -382,11 +463,7 @@ optional_policy(`
')
optional_policy(`
- nis_use_ypbind(syslogd_t)
-')
-
-optional_policy(`
- nscd_socket_use(syslogd_t)
+ postgresql_stream_connect(syslogd_t)
')
optional_policy(`