[gentoo-commits] proj/hardened-refpolicy:master commit in: policy/modules/system/, policy/modules/kernel/

Mon, 13 Feb 2023 07:35:32 -0800 

commit:     ef6668a7d48e72ecd3513518f32449c4c0bc8423
Author:     Corentin LABBE <clabbe.montjoie <AT> gmail <DOT> com>
AuthorDate: Fri Dec 16 07:15:19 2022 +0000
Commit:     Kenton Groombridge <concord <AT> gentoo <DOT> org>
CommitDate: Mon Feb 13 15:19:51 2023 +0000
URL:        
https://gitweb.gentoo.org/proj/hardened-refpolicy.git/commit/?id=ef6668a7

rsyslog: add label for /var/empty/dev/log

On gentoo, starting rsyslog give this:
allow syslogd_t var_t:dir { add_name remove_name };
allow syslogd_t var_t:sock_file { create setattr unlink };

This is due to the following piece of code in configuration:
"""
 Create an additional socket for the default chroot location
 (used by net-misc/openssh[hpn], see https://bugs.gentoo.org/490744)
 input(type="imuxsock" Socket="/var/empty/dev/log")
"""

So let's add correct label for this file

Signed-off-by: Corentin LABBE <clabbe.montjoie <AT> gmail.com>
Signed-off-by: Kenton Groombridge <concord <AT> gentoo.org>

 policy/modules/kernel/devices.fc | 4 ++++
 policy/modules/system/logging.fc | 4 ++++
 2 files changed, 8 insertions(+)

diff --git a/policy/modules/kernel/devices.fc b/policy/modules/kernel/devices.fc
index 84427423c..da21259b8 100644
--- a/policy/modules/kernel/devices.fc
+++ b/policy/modules/kernel/devices.fc
@@ -236,3 +236,7 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/random -c        
gen_context(system_u:object_r:random_device_t,s0)
 /var/named/chroot/dev/zero -c  gen_context(system_u:object_r:zero_device_t,s0)
 ')
+
+ifdef(`distro_gentoo',`
+/var/empty/dev         -d      gen_context(system_u:object_r:device_t,s0)
+')

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 5681acb51..3b0dea51b 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -68,6 +68,10 @@ ifdef(`distro_redhat',`
 /var/named/chroot/dev/log -s   gen_context(system_u:object_r:devlog_t,s0)
 ')
 
+ifdef(`distro_gentoo',`
+/var/empty/dev/log     -s      gen_context(system_u:object_r:devlog_t,s0)
+')
+
 /run/audit_events      -s      
gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)
 /run/audispd_events    -s      
gen_context(system_u:object_r:audisp_runtime_t,mls_systemhigh)
 /run/auditd\.pid       --      
gen_context(system_u:object_r:auditd_runtime_t,mls_systemhigh)

Reply via email to