From 3b92311c8b273413a9802930c34ca5ca57be878b Mon Sep 17 00:00:00 2001 From: Hubert Quarantel-Colombani Date: Sat, 31 Aug 2024 15:37:43 +0200 Subject: [PATCH] Add the allow_springboot_syslog_netsend boolean --- README.md | 15 ++++++++++----- se_module/springboot.te | 15 +++++++++++++-- 2 files changed, 23 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 3a79a40..7df771d 100644 --- a/README.md +++ b/README.md @@ -132,27 +132,32 @@ Examples: #### allow_springboot_connectto_http (default: `true`) -When switch to `true`this boolean allows the Springboot application to connect to remote +When switched to `true`, this boolean allows the Springboot application to connect to remote HTTP/HTTPS ports (locally assigned the `http_port_t` SELinux type). #### allow_springboot_connectto_self (default: `false`) -When switch to `true`this boolean allows the Springboot application to connect to other remote +When switched to `true`, this boolean allows the Springboot application to connect to other remote Springboot application (locally assigned the `springboot_port_t` SELinux type). +#### allow_springboot_syslog_netsend (default: `false`) + +When switched to `true`, this boolean allows the Springboot application to use the syslog protocol to send log +messages (both UDP and TCP transports). + #### allow_springboot_connectto_ldap (default: `false`) -When switch to `true`this boolean allows the Springboot application to connect to remote +When switched to `true`, this boolean allows the Springboot application to connect to remote LDAP/LDAPS ports (locally assigned the `ldap_port_t` SELinux type). #### allow_springboot_connectto_smtp (default: `false`) -When switch to `true`this boolean allows the Springboot application to connect to remote +When switched to `true`, this boolean allows the Springboot application to connect to remote SMTP/SMTPS/submission ports (locally assigned the `smtp_port_t` SELinux type). #### Mutiple booleans allow_springboot_connectto_\ (default: `false`) -When switch to `true`these boolean allows the Springboot application to connect to remote +When switched to `true`, these boolean allows the Springboot application to connect to remote database server ports: `couchdb`, `mongodb`, `mysql` (MariaDB), `oracle`, `pgsql` (PostgreSQL), `redis`. #### allow_springboot_dynamic_libs (default: `false`) diff --git a/se_module/springboot.te b/se_module/springboot.te index ba22231..71db939 100644 --- a/se_module/springboot.te +++ b/se_module/springboot.te @@ -24,7 +24,7 @@ # ############################################################################ -policy_module(springboot, 1.3.2) +policy_module(springboot, 1.4.0) ######################################## # @@ -101,6 +101,8 @@ systemd_unit_file(springboot_unit_file_t); bool allow_springboot_connectto_http true; bool allow_springboot_connectto_self false; +bool allow_springboot_syslog_netsend false; + bool allow_springboot_connectto_ldap false; bool allow_springboot_connectto_smtp false; @@ -130,6 +132,8 @@ gen_require(` type redis_port_t; type couchdb_port_t; type mongod_port_t; + type syslog_tls_port_t; + type syslogd_port_t; type httpd_t; type postfix_smtpd_t; @@ -142,7 +146,7 @@ gen_require(` type redis_t; type couchdb_t; type mongod_t; - + type syslogd_t; type node_t; @@ -281,6 +285,13 @@ if (allow_springboot_connectto_self) { allow springboot_t springboot_t:peer recv; } +if (allow_springboot_syslog_netsend) { + allow springboot_t syslogd_port_t:tcp_socket name_connect; + allow springboot_t syslogd_port_t:udp_socket send_msg; + allow springboot_t syslog_tls_port_t:tcp_socket name_connect; + allow springboot_t syslogd_t:peer recv; +} + if (allow_springboot_connectto_ldap) { allow springboot_t ldap_port_t:tcp_socket name_connect; allow springboot_t slapd_t:peer recv;