On 1/14/19 10:20 PM, Sugar, David wrote:
journald already runs as syslogd_t label the config files similarly to
allow editing by domains that can edit syslog configuration files.
Also added some missing '\' before dot in filenames.
Signed-off-by: Dave Sugar <dsugar@xxxxxxxxxx>
---
policy/modules/system/logging.fc | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index c579c2d3..6693d87b 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -1,11 +1,13 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
-/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
-/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
-/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
+/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/rsyslog\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
+/etc/systemd/journal.*\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/systemd/journald\.conf\.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
+/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
/usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
/usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
Merged, though preferrably, the whitespace changes would have been a
separate patch.
--
Chris PeBenito
