diff options
author | Mark Hatle <mark.hatle@windriver.com> | 2017-09-13 19:42:42 -0500 |
---|---|---|
committer | Mark Hatle <mark.hatle@windriver.com> | 2017-09-14 08:29:01 -0500 |
commit | 8bd72dfb5aafe68b82e10d204d3f824a3b5de7af (patch) | |
tree | f90741ae62cddd47c87009ff48d8ada522b08cde | |
parent | 2c7c0e957f1fa72ec39b78eac9f6b46b6079dc32 (diff) | |
download | meta-selinux-8bd72dfb5aafe68b82e10d204d3f824a3b5de7af.tar.gz |
refpolicy-git: Update to lastest git version
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
3 files changed, 33 insertions, 79 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch index 77f7fad..737c0a2 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch | |||
@@ -15,26 +15,19 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
15 | policy/modules/system/logging.te | 1 + | 15 | policy/modules/system/logging.te | 1 + |
16 | 2 files changed, 5 insertions(+) | 16 | 2 files changed, 5 insertions(+) |
17 | 17 | ||
18 | --- a/policy/modules/system/logging.fc | 18 | Index: refpolicy/policy/modules/system/logging.fc |
19 | +++ b/policy/modules/system/logging.fc | 19 | =================================================================== |
20 | @@ -1,12 +1,14 @@ | 20 | --- refpolicy.orig/policy/modules/system/logging.fc |
21 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) | 21 | +++ refpolicy/policy/modules/system/logging.fc |
22 | @@ -2,6 +2,7 @@ | ||
22 | 23 | ||
23 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 24 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
24 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 25 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
25 | +/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) | 26 | +/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) |
27 | /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) | ||
26 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) | 28 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) |
27 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) | 29 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) |
28 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | 30 | @@ -30,10 +31,12 @@ |
29 | +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | ||
30 | |||
31 | /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
32 | /usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
33 | /usr/bin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
34 | /usr/bin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
35 | @@ -27,14 +29,16 @@ | ||
36 | /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
37 | /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
38 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | 31 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) |
39 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | 32 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) |
40 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | 33 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) |
@@ -47,19 +40,15 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
47 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 40 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
48 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 41 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
49 | 42 | ||
50 | /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) | 43 | Index: refpolicy/policy/modules/system/logging.te |
51 | /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) | 44 | =================================================================== |
52 | --- a/policy/modules/system/logging.te | 45 | --- refpolicy.orig/policy/modules/system/logging.te |
53 | +++ b/policy/modules/system/logging.te | 46 | +++ refpolicy/policy/modules/system/logging.te |
54 | @@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s | 47 | @@ -396,6 +396,7 @@ allow syslogd_t self:udp_socket create_s |
55 | allow syslogd_t self:fifo_file rw_fifo_file_perms; | ||
56 | allow syslogd_t self:udp_socket create_socket_perms; | ||
57 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | 48 | allow syslogd_t self:tcp_socket create_stream_socket_perms; |
58 | 49 | ||
59 | allow syslogd_t syslog_conf_t:file read_file_perms; | 50 | allow syslogd_t syslog_conf_t:file read_file_perms; |
60 | +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; | 51 | +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; |
52 | allow syslogd_t syslog_conf_t:dir list_dir_perms; | ||
61 | 53 | ||
62 | # Create and bind to /dev/log or /var/run/log. | 54 | # Create and bind to /dev/log or /var/run/log. |
63 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | ||
64 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) | ||
65 | init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index 75a5fa2..4a05a2a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch | |||
@@ -16,11 +16,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
16 | policy/modules/system/logging.te | 1 + | 16 | policy/modules/system/logging.te | 1 + |
17 | 3 files changed, 15 insertions(+), 1 deletion(-) | 17 | 3 files changed, 15 insertions(+), 1 deletion(-) |
18 | 18 | ||
19 | --- a/policy/modules/system/logging.fc | 19 | Index: refpolicy/policy/modules/system/logging.fc |
20 | +++ b/policy/modules/system/logging.fc | 20 | =================================================================== |
21 | @@ -51,10 +51,11 @@ ifdef(`distro_suse', ` | 21 | --- refpolicy.orig/policy/modules/system/logging.fc |
22 | 22 | +++ refpolicy/policy/modules/system/logging.fc | |
23 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 23 | @@ -53,6 +53,7 @@ ifdef(`distro_suse', ` |
24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
25 | 25 | ||
26 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | 26 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) |
@@ -28,32 +28,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
28 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | 28 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) |
29 | /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) | 29 | /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) |
30 | /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | 30 | /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) |
31 | /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | 31 | Index: refpolicy/policy/modules/system/logging.if |
32 | /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | 32 | =================================================================== |
33 | --- a/policy/modules/system/logging.if | 33 | --- refpolicy.orig/policy/modules/system/logging.if |
34 | +++ b/policy/modules/system/logging.if | 34 | +++ refpolicy/policy/modules/system/logging.if |
35 | @@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters' | 35 | @@ -945,10 +945,12 @@ interface(`logging_append_all_inherited_ |
36 | ## </param> | ||
37 | ## <rolecap/> | ||
38 | # | ||
39 | interface(`logging_read_audit_log',` | ||
40 | gen_require(` | ||
41 | - type auditd_log_t; | ||
42 | + type auditd_log_t, var_log_t; | ||
43 | ') | ||
44 | |||
45 | files_search_var($1) | ||
46 | read_files_pattern($1, auditd_log_t, auditd_log_t) | ||
47 | allow $1 auditd_log_t:dir list_dir_perms; | ||
48 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
49 | ') | ||
50 | |||
51 | ######################################## | ||
52 | ## <summary> | ||
53 | ## Execute auditctl in the auditctl domain. | ||
54 | @@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_ | ||
55 | ## <rolecap/> | ||
56 | # | ||
57 | interface(`logging_read_all_logs',` | 36 | interface(`logging_read_all_logs',` |
58 | gen_require(` | 37 | gen_require(` |
59 | attribute logfile; | 38 | attribute logfile; |
@@ -66,11 +45,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
66 | read_files_pattern($1, logfile, logfile) | 45 | read_files_pattern($1, logfile, logfile) |
67 | ') | 46 | ') |
68 | 47 | ||
69 | ######################################## | 48 | @@ -967,10 +969,12 @@ interface(`logging_read_all_logs',` |
70 | ## <summary> | ||
71 | @@ -972,14 +975,16 @@ interface(`logging_read_all_logs',` | ||
72 | # cjp: not sure why this is needed. This was added | ||
73 | # because of logrotate. | ||
74 | interface(`logging_exec_all_logs',` | 49 | interface(`logging_exec_all_logs',` |
75 | gen_require(` | 50 | gen_require(` |
76 | attribute logfile; | 51 | attribute logfile; |
@@ -83,11 +58,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
83 | can_exec($1, logfile) | 58 | can_exec($1, logfile) |
84 | ') | 59 | ') |
85 | 60 | ||
86 | ######################################## | 61 | @@ -1072,6 +1076,7 @@ interface(`logging_read_generic_logs',` |
87 | ## <summary> | ||
88 | @@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',` | ||
89 | type var_log_t; | ||
90 | ') | ||
91 | 62 | ||
92 | files_search_var($1) | 63 | files_search_var($1) |
93 | allow $1 var_log_t:dir list_dir_perms; | 64 | allow $1 var_log_t:dir list_dir_perms; |
@@ -95,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
95 | read_files_pattern($1, var_log_t, var_log_t) | 66 | read_files_pattern($1, var_log_t, var_log_t) |
96 | ') | 67 | ') |
97 | 68 | ||
98 | ######################################## | 69 | @@ -1173,6 +1178,7 @@ interface(`logging_manage_generic_logs', |
99 | ## <summary> | ||
100 | @@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs', | ||
101 | type var_log_t; | ||
102 | ') | ||
103 | 70 | ||
104 | files_search_var($1) | 71 | files_search_var($1) |
105 | manage_files_pattern($1, var_log_t, var_log_t) | 72 | manage_files_pattern($1, var_log_t, var_log_t) |
@@ -107,13 +74,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
107 | ') | 74 | ') |
108 | 75 | ||
109 | ######################################## | 76 | ######################################## |
110 | ## <summary> | 77 | Index: refpolicy/policy/modules/system/logging.te |
111 | ## All of the rules required to administrate | 78 | =================================================================== |
112 | --- a/policy/modules/system/logging.te | 79 | --- refpolicy.orig/policy/modules/system/logging.te |
113 | +++ b/policy/modules/system/logging.te | 80 | +++ refpolicy/policy/modules/system/logging.te |
114 | @@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi | 81 | @@ -159,6 +159,7 @@ manage_files_pattern(auditd_t, auditd_lo |
115 | |||
116 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
117 | allow auditd_t auditd_log_t:dir setattr; | 82 | allow auditd_t auditd_log_t:dir setattr; |
118 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 83 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
119 | allow auditd_t var_log_t:dir search_dir_perms; | 84 | allow auditd_t var_log_t:dir search_dir_perms; |
@@ -121,5 +86,3 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
121 | 86 | ||
122 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | 87 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) |
123 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | 88 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) |
124 | files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) | ||
125 | |||
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 21e3a4c..9c62da3 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc | |||
@@ -1,3 +1,5 @@ | |||
1 | PV = "2.20170805+git${SRCPV}" | ||
2 | |||
1 | SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" | 3 | SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" |
2 | SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib" | 4 | SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib" |
3 | 5 | ||