diff --git a/policy/modules/services/setroubleshoot.te b/policy/modules/services/setroubleshoot.te index 8b01d87..2fa32be 100644 --- a/policy/modules/services/setroubleshoot.te +++ b/policy/modules/services/setroubleshoot.te @@ -1,5 +1,5 @@ -policy_module(setroubleshoot, 1.7.0) +policy_module(setroubleshoot, 1.7.1) ######################################## # @@ -98,7 +98,7 @@ miscfiles_read_localization(setroubleshootd_t) locallogin_dontaudit_use_fds(setroubleshootd_t) logging_send_syslog_msg(setroubleshootd_t) -logging_stream_connect_auditd(setroubleshootd_t) +logging_stream_connect_dispatcher(setroubleshootd_t) seutil_read_config(setroubleshootd_t) seutil_read_file_contexts(setroubleshootd_t) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index f5737fd..ba5542f 100644 --- a/policy/modules/system/logging.fc +++ b/policy/modules/system/logging.fc @@ -4,6 +4,8 @@ /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) +/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) +/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) /sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) @@ -20,6 +22,7 @@ /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) +/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) /var/lib/syslog-ng.persist -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) ifdef(`distro_suse', ` @@ -28,6 +31,7 @@ ifdef(`distro_suse', ` /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) +/var/cfengine/outputs(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) /var/log/.* gen_context(system_u:object_r:var_log_t,s0) @@ -37,7 +41,7 @@ ifdef(`distro_suse', ` /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/spooler[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/audit(/.*)? gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) -/var/log/syslog-ng(/.*)? -- gen_context(system_u:object_r:syslogd_var_run_t,s0) +/var/log/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_run_t,s0) ifndef(`distro_gentoo',` /var/log/audit\.log -- gen_context(system_u:object_r:auditd_log_t,mls_systemhigh) @@ -48,7 +52,7 @@ ifdef(`distro_redhat',` ') /var/run/audit_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) -/var/run/audispd_events -s gen_context(system_u:object_r:auditd_var_run_t,s0) +/var/run/audispd_events -s gen_context(system_u:object_r:audisp_var_run_t,s0) /var/run/auditd\.pid -- gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/auditd_sock -s gen_context(system_u:object_r:auditd_var_run_t,s0) /var/run/klogd\.pid -- gen_context(system_u:object_r:klogd_var_run_t,s0) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if index 0a0163a..19b701b 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if @@ -213,12 +213,97 @@ interface(`logging_run_auditd',` ## # interface(`logging_stream_connect_auditd',` + refpolicywarn(`$0($*) has been deprecated, logging_stream_connect_dispatcher() should be used instead.') + logging_stream_connect_dispatcher($1) +') + +######################################## +## +## Execute a domain transition to run the audit dispatcher. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`logging_domtrans_dispatcher',` gen_require(` - type auditd_t, auditd_var_run_t; + type audisp_t, audisp_exec_t; + ') + + domtrans_pattern($1, audisp_exec_t, audisp_t) +') + +######################################## +## +## Signal the audit dispatcher. +## +## +## +## Domain allowed to transition. +## +## +# +interface(`logging_signal_dispatcher',` + gen_require(` + type audisp_t; + ') + + allow $1 audisp_t:process signal; +') + +######################################## +## +## Create a domain for processes +## which can be started by the system audit dispatcher +## +## +## +## Type to be used as a domain. +## +## +## +## +## Type of the program to be used as an entry point to this domain. +## +## +# +interface(`logging_dispatcher_domain',` + gen_require(` + type audisp_t; + role system_r; + ') + + domain_type($1) + domain_entry_file($1, $2) + + role system_r types $1; + + domtrans_pattern(audisp_t, $2, $1) + allow $1 audisp_t:process signal; + + allow audisp_t $2:file getattr; + allow $1 audisp_t:unix_stream_socket rw_socket_perms; +') + +######################################## +## +## Connect to the audit dispatcher over an unix stream socket. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_stream_connect_dispatcher',` + gen_require(` + type audisp_t, audisp_var_run_t; ') files_search_pids($1) - stream_connect_pattern($1,auditd_var_run_t,auditd_var_run_t,auditd_t) + stream_connect_pattern($1, audisp_var_run_t, audisp_var_run_t, audisp_t) ') ######################################## @@ -530,8 +615,7 @@ interface(`logging_append_all_logs',` ') files_search_var($1) - allow $1 var_log_t:dir list_dir_perms; - allow $1 logfile:file { getattr append }; + append_files_pattern($1, var_log_t, logfile) ') ######################################## @@ -579,6 +663,25 @@ interface(`logging_exec_all_logs',` ######################################## ## +## read/write to all log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_rw_all_logs',` + gen_require(` + attribute logfile; + ') + + files_search_var($1) + rw_files_pattern($1, logfile, logfile) +') + +######################################## +## ## Create, read, write, and delete all log files. ## ## @@ -641,6 +744,24 @@ interface(`logging_write_generic_logs',` ######################################## ## +## Dontaudit Write generic log files. +## +## +## +## Domain allowed access. +## +## +# +interface(`logging_dontaudit_write_generic_logs',` + gen_require(` + type var_log_t; + ') + + dontaudit $1 var_log_t:file write; +') + +######################################## +## ## Read and write generic log files. ## ## @@ -690,6 +811,16 @@ interface(`logging_manage_generic_logs',` ## Domain allowed access. ## ## +## +## +## User role allowed access. +## +## +## +## +## User terminal type. +## +## ## # interface(`logging_admin_audit',` @@ -709,6 +840,8 @@ interface(`logging_admin_audit',` manage_dirs_pattern($1, auditd_var_run_t, auditd_var_run_t) manage_files_pattern($1, auditd_var_run_t, auditd_var_run_t) + + logging_run_auditctl($1, $2, $3) ') ######################################## @@ -768,9 +901,19 @@ interface(`logging_admin_syslog',` ## Domain allowed access. ## ## +## +## +## User role allowed access. +## +## +## +## +## User terminal type. +## +## ## # interface(`logging_admin',` - logging_admin_audit($1) + logging_admin_audit($1, $2, $3) logging_admin_syslog($1) ') diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te index f5292e8..f346c28 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te @@ -1,5 +1,5 @@ -policy_module(logging, 1.11.1) +policy_module(logging, 1.11.2) ######################################## # @@ -27,6 +27,17 @@ init_daemon_domain(auditd_t,auditd_exec_t) type auditd_var_run_t; files_pid_file(auditd_var_run_t) +type audisp_t; +type audisp_exec_t; +init_system_domain(audisp_t, audisp_exec_t) + +type audisp_var_run_t; +files_pid_file(audisp_var_run_t) + +type audisp_remote_t; +type audisp_remote_exec_t; +logging_dispatcher_domain(audisp_remote_t, audisp_remote_exec_t) + type devlog_t; files_type(devlog_t) mls_trusted_object(devlog_t) @@ -62,7 +73,8 @@ logging_log_file(var_log_t) files_mountpoint(var_log_t) ifdef(`enable_mls',` - init_ranged_daemon_domain(auditd_t,auditd_exec_t,mls_systemhigh) + init_ranged_daemon_domain(auditd_t, auditd_exec_t, mls_systemhigh) + init_ranged_daemon_domain(syslogd_t, syslogd_exec_t, mls_systemhigh) ') ######################################## @@ -150,6 +162,8 @@ init_telinit(auditd_t) logging_set_audit_parameters(auditd_t) logging_send_syslog_msg(auditd_t) +logging_domtrans_dispatcher(auditd_t) +logging_signal_dispatcher(auditd_t) libs_use_ld_so(auditd_t) libs_use_shared_libs(auditd_t) @@ -161,6 +175,8 @@ mls_file_write_all_levels(auditd_t) # Need to be able to write to /var/run/ dire seutil_dontaudit_read_config(auditd_t) +sysnet_dns_name_resolve(auditd_t) + userdom_dontaudit_use_unpriv_user_fds(auditd_t) sysadm_dontaudit_search_home_dirs(auditd_t) @@ -172,6 +188,10 @@ ifdef(`distro_ubuntu',` ') optional_policy(` + mta_send_mail(auditd_t) +') + +optional_policy(` seutil_sigchld_newrole(auditd_t) ') @@ -181,6 +201,60 @@ optional_policy(` ######################################## # +# audit dispatcher local policy +# + +allow audisp_t self:capability sys_nice; +allow audisp_t self:process setsched; +allow audisp_t self:fifo_file rw_file_perms; +allow audisp_t self:unix_stream_socket create_stream_socket_perms; +allow audisp_t self:unix_dgram_socket create_socket_perms; + +allow audisp_t auditd_t:unix_stream_socket rw_file_perms; + +manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) +files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) + +corecmd_search_bin(audisp_t) + +domain_use_interactive_fds(audisp_t) + +files_read_etc_files(audisp_t) + +mls_file_write_all_levels(audisp_t) + +libs_use_ld_so(audisp_t) +libs_use_shared_libs(audisp_t) + +logging_send_syslog_msg(audisp_t) + +miscfiles_read_localization(audisp_t) + +######################################## +# +# Audit remote logger local policy +# + +allow audisp_remote_t self:tcp_socket create_socket_perms; + +corenet_all_recvfrom_unlabeled(audisp_remote_t) +corenet_all_recvfrom_netlabel(audisp_remote_t) +corenet_tcp_sendrecv_all_if(audisp_remote_t) +corenet_tcp_sendrecv_all_nodes(audisp_remote_t) + +files_read_etc_files(audisp_remote_t) + +libs_use_ld_so(audisp_remote_t) +libs_use_shared_libs(audisp_remote_t) + +logging_send_syslog_msg(audisp_remote_t) + +miscfiles_read_localization(audisp_remote_t) + +sysnet_dns_name_resolve(audisp_remote_t) + +######################################## +# # klogd local policy # @@ -253,7 +327,6 @@ allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_a dontaudit syslogd_t self:capability sys_tty_config; # setpgid for metalog allow syslogd_t self:process { signal_perms setpgid }; -allow syslogd_t self:netlink_route_socket r_netlink_socket_perms; # receive messages to be logged allow syslogd_t self:unix_dgram_socket create_socket_perms; allow syslogd_t self:unix_stream_socket create_stream_socket_perms; @@ -290,6 +363,7 @@ files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) manage_files_pattern(syslogd_t,syslogd_var_run_t,syslogd_var_run_t) files_pid_filetrans(syslogd_t,syslogd_var_run_t,file) +kernel_read_system_state(syslogd_t) kernel_read_kernel_sysctls(syslogd_t) kernel_read_proc_symlinks(syslogd_t) # Allow access to /proc/kmsg for syslog-ng @@ -297,20 +371,6 @@ kernel_read_messages(syslogd_t) kernel_clear_ring_buffer(syslogd_t) kernel_change_ring_buffer_level(syslogd_t) -dev_filetrans(syslogd_t,devlog_t,sock_file) -dev_read_sysfs(syslogd_t) - -fs_search_auto_mountpoints(syslogd_t) - -term_write_console(syslogd_t) -# Allow syslog to a terminal -term_write_unallocated_ttys(syslogd_t) - -# for sending messages to logged in users -init_read_utmp(syslogd_t) -init_dontaudit_write_utmp(syslogd_t) -term_write_all_user_ttys(syslogd_t) - corenet_all_recvfrom_unlabeled(syslogd_t) corenet_all_recvfrom_netlabel(syslogd_t) corenet_udp_sendrecv_all_if(syslogd_t) @@ -328,22 +388,45 @@ corenet_tcp_connect_rsh_port(syslogd_t) # Allow users to define additional syslog ports to connect to corenet_tcp_bind_syslogd_port(syslogd_t) corenet_tcp_connect_syslogd_port(syslogd_t) +corenet_tcp_connect_postgresql_port(syslogd_t) +corenet_tcp_connect_mysqld_port(syslogd_t) # syslog-ng can send or receive logs corenet_sendrecv_syslogd_client_packets(syslogd_t) corenet_sendrecv_syslogd_server_packets(syslogd_t) +corenet_sendrecv_postgresql_client_packets(syslogd_t) +corenet_sendrecv_mysqld_client_packets(syslogd_t) -fs_getattr_all_fs(syslogd_t) - -init_use_fds(syslogd_t) +dev_filetrans(syslogd_t,devlog_t,sock_file) +dev_read_sysfs(syslogd_t) domain_use_interactive_fds(syslogd_t) files_read_etc_files(syslogd_t) +files_read_usr_files(syslogd_t) files_read_var_files(syslogd_t) files_read_etc_runtime_files(syslogd_t) # /initrd is not umounted before minilog starts files_dontaudit_search_isid_type_dirs(syslogd_t) +files_read_kernel_symbol_table(syslogd_t) + +fs_getattr_all_fs(syslogd_t) +fs_search_auto_mountpoints(syslogd_t) + +mls_file_write_all_levels(syslogd_t) # Need to be able to write to /var/run/ and /var/log directories + +term_write_console(syslogd_t) +# Allow syslog to a terminal +term_write_unallocated_ttys(syslogd_t) + +# for sending messages to logged in users +init_read_utmp(syslogd_t) +init_dontaudit_write_utmp(syslogd_t) +term_write_all_user_ttys(syslogd_t) + +auth_use_nsswitch(syslogd_t) + +init_use_fds(syslogd_t) libs_use_ld_so(syslogd_t) libs_use_shared_libs(syslogd_t) @@ -351,8 +434,6 @@ libs_use_shared_libs(syslogd_t) # cjp: this doesnt make sense logging_send_syslog_msg(syslogd_t) -sysnet_read_config(syslogd_t) - miscfiles_read_localization(syslogd_t) userdom_dontaudit_use_unpriv_user_fds(syslogd_t) @@ -382,11 +463,7 @@ optional_policy(` ') optional_policy(` - nis_use_ypbind(syslogd_t) -') - -optional_policy(` - nscd_socket_use(syslogd_t) + postgresql_stream_connect(syslogd_t) ') optional_policy(`