Add the allow_springboot_syslog_netsend boolean

lhqg · Aug 31, 2024 · 3b92311 · 3b92311
1 parent 92848a5
commit 3b92311
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -132,27 +132,32 @@ Examples:
 
 #### allow_springboot_connectto_http (default: `true`)
 
-When switch to `true`this boolean allows the Springboot application to connect to remote
+When switched to `true`, this boolean allows the Springboot application to connect to remote
 HTTP/HTTPS ports (locally assigned the `http_port_t` SELinux type).
 
 #### allow_springboot_connectto_self (default: `false`)
 
-When switch to `true`this boolean allows the Springboot application to connect to other remote
+When switched to `true`, this boolean allows the Springboot application to connect to other remote
 Springboot application (locally assigned the `springboot_port_t` SELinux type).
 
+#### allow_springboot_syslog_netsend (default: `false`)
+
+When switched to `true`, this boolean allows the Springboot application to use the syslog protocol to send log
+messages (both UDP and TCP transports).
+
 #### allow_springboot_connectto_ldap (default: `false`)
 
-When switch to `true`this boolean allows the Springboot application to connect to remote
+When switched to `true`, this boolean allows the Springboot application to connect to remote
 LDAP/LDAPS ports (locally assigned the `ldap_port_t` SELinux type).
 
 #### allow_springboot_connectto_smtp (default: `false`)
 
-When switch to `true`this boolean allows the Springboot application to connect to remote
+When switched to `true`, this boolean allows the Springboot application to connect to remote
 SMTP/SMTPS/submission ports (locally assigned the `smtp_port_t` SELinux type).
 
 #### Mutiple booleans allow_springboot_connectto_\<DB\> (default: `false`)
 
-When switch to `true`these boolean allows the Springboot application to connect to remote
+When switched to `true`, these boolean allows the Springboot application to connect to remote
 database server ports: `couchdb`, `mongodb`, `mysql` (MariaDB), `oracle`, `pgsql` (PostgreSQL), `redis`.
 
 #### allow_springboot_dynamic_libs (default: `false`)

diff --git a/se_module/springboot.te b/se_module/springboot.te
@@ -24,7 +24,7 @@
 #
 ############################################################################
 
-policy_module(springboot, 1.3.2)
+policy_module(springboot, 1.4.0)
 
 ########################################
 #
@@ -101,6 +101,8 @@ systemd_unit_file(springboot_unit_file_t);
 bool allow_springboot_connectto_http true;
 bool allow_springboot_connectto_self false;
 
+bool allow_springboot_syslog_netsend false;
+
 bool allow_springboot_connectto_ldap false;
 bool allow_springboot_connectto_smtp false;
 
@@ -130,6 +132,8 @@ gen_require(`
  type redis_port_t;
  type couchdb_port_t;
  type mongod_port_t;
+ type syslog_tls_port_t;
+ type syslogd_port_t;
 
  type httpd_t;
  type postfix_smtpd_t;
@@ -142,7 +146,7 @@ gen_require(`
  type redis_t;
  type couchdb_t;
  type mongod_t;
-
+ type syslogd_t;
 
  type node_t;
 
@@ -281,6 +285,13 @@ if (allow_springboot_connectto_self) {
  allow springboot_t springboot_t:peer recv;
 }
 
+if (allow_springboot_syslog_netsend) {
+ allow springboot_t syslogd_port_t:tcp_socket name_connect;
+ allow springboot_t syslogd_port_t:udp_socket send_msg;
+ allow springboot_t syslog_tls_port_t:tcp_socket name_connect;
+ allow springboot_t syslogd_t:peer recv;
+}
+
 if (allow_springboot_connectto_ldap) {
  allow springboot_t ldap_port_t:tcp_socket name_connect;
  allow springboot_t slapd_t:peer recv;