[patch 32/35] rsync policy update

david@xxxxxxxxxxx · Mon, 04 Aug 2008 14:35:28 +0200

rsync module policy changes, mostly related to a new type for rsync log
files.
Index: refpolicy/policy/modules/services/rsync.fc
===================================================================

--- refpolicy.orig/policy/modules/services/rsync.fc	2008-07-19 19:15:41.000000000 +0200
+++ refpolicy/policy/modules/services/rsync.fc	2008-08-03 21:58:33.000000000 +0200
@@ -1,2 +1,6 @@
 
 /usr/bin/rsync		--	gen_context(system_u:object_r:rsync_exec_t,s0)
+
+/var/log/rsync\.log      --	gen_context(system_u:object_r:rsync_log_t,s0)
+
+/var/run/rsyncd\.lock      --	gen_context(system_u:object_r:rsync_log_t,s0)
Index: refpolicy/policy/modules/services/rsync.te
===================================================================
--- refpolicy.orig/policy/modules/services/rsync.te	2008-08-03 16:47:00.000000000 +0200
+++ refpolicy/policy/modules/services/rsync.te	2008-08-03 21:58:33.000000000 +0200
@@ -31,6 +31,9 @@
 type rsync_data_t;
 files_type(rsync_data_t)
 
+type rsync_log_t;
+logging_log_file(rsync_log_t)
+
 type rsync_tmp_t;
 files_tmp_file(rsync_tmp_t)
 
@@ -42,7 +45,7 @@
 # Local policy
 #
 
-allow rsync_t self:capability sys_chroot;
+allow rsync_t self:capability { dac_read_search dac_override setuid setgid sys_chroot };
 allow rsync_t self:process signal_perms;
 allow rsync_t self:fifo_file rw_fifo_file_perms;
 allow rsync_t self:tcp_socket create_stream_socket_perms;
@@ -52,7 +55,6 @@
 # cjp: this should probably only be inetd_child_t rules?
 # search home and kerberos also.
 allow rsync_t self:netlink_tcpdiag_socket r_netlink_socket_perms;
-allow rsync_t self:capability { setuid setgid };
 #end for identd
 
 allow rsync_t rsync_data_t:dir list_dir_perms;
@@ -95,7 +97,8 @@
 libs_use_shared_libs(rsync_t)
 
 logging_send_syslog_msg(rsync_t)
-logging_dontaudit_search_logs(rsync_t)
+manage_files_pattern(rsync_t,rsync_log_t,rsync_log_t)
+logging_log_filetrans(rsync_t,rsync_log_t,file)
 
 miscfiles_read_localization(rsync_t)
 miscfiles_read_public_files(rsync_t)
@@ -117,7 +120,6 @@
 ')
 
 tunable_policy(`rsync_export_all_ro',`
-	allow rsync_t self:capability dac_override;
 	fs_read_noxattr_fs_files(rsync_t) 
 	auth_read_all_files_except_shadow(rsync_t)
 ')

-- 
David HÃ¤rdeman

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.




