Issue OwlCyberDefense#89: Update logging policy to a newer version

Logging policy was left out when pulling in @pebenito's dev branch.
Surprisingly, the only module that broke with the older policy was fail2ban.
Pull in most recent logging policy to get all modules building properly.

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/roles/toor.te

@@ -48,7 +48,7 @@ ifdef(`direct_toor_daemon',`
 ')
 
 logging_dontaudit_send_audit_msgs(toor_t)
-logging_getattr_dirs(toor_t)
+logging_getattr_all_logs(toor_t)
 #allow toor_t auditd_log_t:{ dir file } getattr;
 
 tunable_policy(`aide_enable_write_db',`

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/logging.fc

@@ -17,13 +17,16 @@
 /sbin/syslogd		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /sbin/syslog-ng		--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+
 /usr/sbin/klogd		--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/metalog	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/rklogd	--	gen_context(system_u:object_r:klogd_exec_t,s0)
 /usr/sbin/rsyslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslog-ng	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 /usr/sbin/syslogd	--	gen_context(system_u:object_r:syslogd_exec_t,s0)
 
+/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng(/.*)? 	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/r?syslog(/.*)?		gen_context(system_u:object_r:syslogd_var_lib_t,s0)
 /var/lib/syslog-ng.persist --	gen_context(system_u:object_r:syslogd_var_lib_t,s0)
@@ -34,14 +37,12 @@ ifdef(`distro_suse', `
 
 /var/axfrdns/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
-/var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
 /var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/secure[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-/var/log/cron[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/maillog[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/spooler[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/audit(/.*)?		gen_context(system_u:object_r:auditd_log_t,mls_systemhigh)
@@ -62,10 +63,18 @@ ifdef(`distro_redhat',`
 /var/run/auditd_sock	-s	gen_context(system_u:object_r:auditd_var_run_t,mls_systemhigh)
 /var/run/klogd\.pid	--	gen_context(system_u:object_r:klogd_var_run_t,s0)
 /var/run/log		-s	gen_context(system_u:object_r:devlog_t,s0)
+/var/run/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/run/log/journal(/.*)?	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/run/metalog\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/rsyslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslogd\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng.ctl	--	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/syslog-ng\.pid	--	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
 /var/run/syslog-ng(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,s0)
+/var/run/systemd/journal(/.*)?	gen_context(system_u:object_r:syslogd_var_run_t,mls_systemhigh)
+/var/run/systemd/journal/socket	 -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/syslog	 -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/var/run/systemd/journal/dev-log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
 
 /var/spool/audit(/.*)?		gen_context(system_u:object_r:audit_spool_t,mls_systemhigh)
 /var/spool/bacula/log(/.*)? 	gen_context(system_u:object_r:var_log_t,s0)

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/logging.if

@@ -480,6 +480,11 @@ interface(`logging_domtrans_syslog',`
 ##	The object class of the object being created.
 ##	</summary>
 ## </param>
+## <param name="name" optional="true">
+##	<summary>
+##	The name of the object being created.
+##	</summary>
+## </param>
 ## <infoflow type="write" weight="10"/>
 #
 interface(`logging_log_filetrans',`
@@ -488,7 +493,7 @@ interface(`logging_log_filetrans',`
 	')
 
 	files_search_var($1)
-	filetrans_pattern($1, var_log_t, $2, $3)
+	filetrans_pattern($1, var_log_t, $2, $3, $4)
 ')
 
 ########################################
@@ -525,12 +530,15 @@ interface(`logging_log_filetrans',`
 #
 interface(`logging_send_syslog_msg',`
 	gen_require(`
-		type syslogd_t, devlog_t;
+		type syslogd_t, syslogd_var_run_t, devlog_t;
 	')
 
-	allow $1 devlog_t:lnk_file read_lnk_file_perms;
 	allow $1 devlog_t:sock_file write_sock_file_perms;
 
+	# systemd journal socket is in /run/systemd/journal/dev-log
+	init_search_run($1)
+	allow $1 syslogd_var_run_t:dir search_dir_perms;
+
 	# the type of socket depends on the syslog daemon
 	allow $1 syslogd_t:unix_dgram_socket sendto;
 	allow $1 syslogd_t:unix_stream_socket connectto;
@@ -679,6 +687,25 @@ interface(`logging_rw_generic_log_dirs',`
 	allow $1 var_log_t:dir rw_dir_perms;
 ')
 
+#######################################
+## <summary>
+##	Search through all log dirs.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+## <rolecap/>
+#
+interface(`logging_search_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	allow $1 logfile:dir search_dir_perms;
+')
+
 #######################################
 ## <summary>
 ##	Set attributes on all log dirs.
@@ -700,7 +727,7 @@ interface(`logging_setattr_all_log_dirs',`
 
 ########################################
 ## <summary>
-##	Do not audit attempts to get the atttributes
+##	Do not audit attempts to get the attributes
 ##	of any log files.
 ## </summary>
 ## <param name="domain">
@@ -717,6 +744,24 @@ interface(`logging_dontaudit_getattr_all_logs',`
 	dontaudit $1 logfile:file getattr;
 ')
 
+########################################
+## <summary>
+##	Read the atttributes of any log file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access
+##	</summary>
+## </param>
+#
+interface(`logging_getattr_all_logs',`
+	gen_require(`
+		attribute logfile;
+	')
+
+	allow $1 logfile:file getattr;
+')
+
 ########################################
 ## <summary>
 ##	Append to all log files.
@@ -1043,23 +1088,3 @@ interface(`logging_admin',`
 	logging_admin_audit($1, $2)
 	logging_admin_syslog($1, $2)
 ')
-
-########################################
-## <summary>
-##	Allow a domain getattr access to dirs
-##	in the auditd_log_t domain.
-## </summary>
-## <param name="domain">
-##	<summary>
-##	Domain allowed access.
-##	</summary>
-## </param>
-## <rolecap/>
-#
-interface(`logging_getattr_dirs',`
-	gen_require(`
-                type auditd_log_t;
-        ')
-
-	allow $1 auditd_log_t:dir getattr;
-')

packages/clip-selinux-policy/clip-selinux-policy/policy/modules/system/logging.te

@@ -1,4 +1,4 @@
-policy_module(logging, 1.18.0)
+policy_module(logging, 1.21.3)
 
 ########################################
 #
@@ -64,6 +64,7 @@ files_config_file(syslog_conf_t)
 type syslogd_t;
 type syslogd_exec_t;
 init_daemon_domain(syslogd_t, syslogd_exec_t)
+init_named_socket_activation(syslogd_t, syslogd_var_run_t)
 
 type syslogd_initrc_exec_t;
 init_script_file(syslogd_initrc_exec_t)
@@ -105,7 +106,6 @@ files_read_etc_files(auditctl_t)
 kernel_read_kernel_sysctls(auditctl_t)
 kernel_read_proc_symlinks(auditctl_t)
 kernel_setsched(auditctl_t)
-kernel_use_fds(auditctl_t)
 
 domain_read_all_domains_state(auditctl_t)
 domain_use_interactive_fds(auditctl_t)
@@ -354,20 +354,23 @@ optional_policy(`
 
 # chown fsetid for syslog-ng
 # sys_admin for the integrated klog of syslog-ng and metalog
+# sys_nice for rsyslog
 # cjp: why net_admin!
-allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin chown fsetid sys_nice };
+allow syslogd_t self:capability { dac_override sys_resource sys_tty_config net_admin sys_admin sys_nice chown fsetid };
 dontaudit syslogd_t self:capability sys_tty_config;
 # setpgid for metalog
 # setrlimit for syslog-ng
-allow syslogd_t self:process { signal_perms setpgid setrlimit getsched setsched };
+# getsched for syslog-ng
+# setsched for rsyslog
+# getcap/setcap for syslog-ng
+allow syslogd_t self:process { getcap setcap signal_perms setpgid setrlimit getsched setsched };
 # receive messages to be logged
 allow syslogd_t self:unix_dgram_socket create_socket_perms;
 allow syslogd_t self:unix_stream_socket create_stream_socket_perms;
 allow syslogd_t self:unix_dgram_socket sendto;
 allow syslogd_t self:fifo_file rw_fifo_file_perms;
 allow syslogd_t self:udp_socket create_socket_perms;
 allow syslogd_t self:tcp_socket create_stream_socket_perms;
-kernel_request_load_module(syslogd_t)
 
 allow syslogd_t syslog_conf_t:file read_file_perms;
 
@@ -378,6 +381,7 @@ files_pid_filetrans(syslogd_t, devlog_t, sock_file)
 # create/append log files.
 manage_files_pattern(syslogd_t, var_log_t, var_log_t)
 rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+files_search_spool(syslogd_t)
 
 # Allow access for syslog-ng
 allow syslogd_t var_log_t:dir { create setattr };
@@ -395,12 +399,18 @@ manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
 files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
 
 kernel_read_system_state(syslogd_t)
+kernel_read_network_state(syslogd_t)
 kernel_read_kernel_sysctls(syslogd_t)
 kernel_read_proc_symlinks(syslogd_t)
 # Allow access to /proc/kmsg for syslog-ng
 kernel_read_messages(syslogd_t)
+kernel_read_vm_sysctls(syslogd_t)
 kernel_clear_ring_buffer(syslogd_t)
 kernel_change_ring_buffer_level(syslogd_t)
+# Read ring buffer for journald
+kernel_read_ring_buffer(syslogd_t)
+# /initrd is not umounted before minilog starts
+kernel_dontaudit_search_unlabeled(syslogd_t)
 
 corenet_all_recvfrom_unlabeled(syslogd_t)
 corenet_all_recvfrom_netlabel(syslogd_t)
@@ -430,16 +440,20 @@ corenet_sendrecv_mysqld_client_packets(syslogd_t)
 
 dev_filetrans(syslogd_t, devlog_t, sock_file)
 dev_read_sysfs(syslogd_t)
+# Allow access to /dev/kmsg for journald
+dev_rw_kmsg(syslogd_t)
 
 domain_use_interactive_fds(syslogd_t)
+# Allow access to /proc/ information for journald
+domain_read_all_domains_state(syslogd_t)
 
 files_read_etc_files(syslogd_t)
 files_read_usr_files(syslogd_t)
 files_read_var_files(syslogd_t)
 files_read_etc_runtime_files(syslogd_t)
 # /initrd is not umounted before minilog starts
-files_dontaudit_search_isid_type_dirs(syslogd_t)
 files_read_kernel_symbol_table(syslogd_t)
+files_var_lib_filetrans(syslogd_t, syslogd_var_lib_t, { file dir })
 
 fs_getattr_all_fs(syslogd_t)
 fs_search_auto_mountpoints(syslogd_t)
@@ -470,7 +484,7 @@ userdom_dontaudit_search_user_home_dirs(syslogd_t)
 ifdef(`distro_gentoo',`
 	# default gentoo syslog-ng config appends kernel
 	# and high priority messages to /dev/tty12
-	term_append_unallocated_ttys(syslogd_t)
+	# and chown/chgrp/chmod /dev/tty12, which is denied
 	term_dontaudit_setattr_unallocated_ttys(syslogd_t)
 ')
 
@@ -489,8 +503,16 @@ optional_policy(`
 	bind_search_cache(syslogd_t)
 ')
 
+optional_policy(`
+	cron_manage_log_files(syslogd_t)
+	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+')
+
 optional_policy(`
 	inn_manage_log(syslogd_t)
+	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
+	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
+	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.notice")
 ')
 
 optional_policy(`