diff options
| author | Mark Hatle <mark.hatle@windriver.com> | 2017-09-13 19:42:42 -0500 |
|---|---|---|
| committer | Mark Hatle <mark.hatle@windriver.com> | 2017-09-14 08:29:01 -0500 |
| commit | 8bd72dfb5aafe68b82e10d204d3f824a3b5de7af (patch) | |
| tree | f90741ae62cddd47c87009ff48d8ada522b08cde | |
| parent | 2c7c0e957f1fa72ec39b78eac9f6b46b6079dc32 (diff) | |
| download | meta-selinux-8bd72dfb5aafe68b82e10d204d3f824a3b5de7af.tar.gz | |
refpolicy-git: Update to lastest git version
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
3 files changed, 33 insertions, 79 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch index 77f7fad..737c0a2 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch | |||
| @@ -15,26 +15,19 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 15 | policy/modules/system/logging.te | 1 + | 15 | policy/modules/system/logging.te | 1 + |
| 16 | 2 files changed, 5 insertions(+) | 16 | 2 files changed, 5 insertions(+) |
| 17 | 17 | ||
| 18 | --- a/policy/modules/system/logging.fc | 18 | Index: refpolicy/policy/modules/system/logging.fc |
| 19 | +++ b/policy/modules/system/logging.fc | 19 | =================================================================== |
| 20 | @@ -1,12 +1,14 @@ | 20 | --- refpolicy.orig/policy/modules/system/logging.fc |
| 21 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) | 21 | +++ refpolicy/policy/modules/system/logging.fc |
| 22 | @@ -2,6 +2,7 @@ | ||
| 22 | 23 | ||
| 23 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 24 | /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
| 24 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) | 25 | /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) |
| 25 | +/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) | 26 | +/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) |
| 27 | /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) | ||
| 26 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) | 28 | /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) |
| 27 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) | 29 | /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) |
| 28 | /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | 30 | @@ -30,10 +31,12 @@ |
| 29 | +/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) | ||
| 30 | |||
| 31 | /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
| 32 | /usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
| 33 | /usr/bin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | ||
| 34 | /usr/bin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | ||
| 35 | @@ -27,14 +29,16 @@ | ||
| 36 | /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) | ||
| 37 | /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) | ||
| 38 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) | 31 | /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) |
| 39 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) | 32 | /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) |
| 40 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) | 33 | /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) |
| @@ -47,19 +40,15 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 47 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 40 | /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
| 48 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | 41 | /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) |
| 49 | 42 | ||
| 50 | /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) | 43 | Index: refpolicy/policy/modules/system/logging.te |
| 51 | /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) | 44 | =================================================================== |
| 52 | --- a/policy/modules/system/logging.te | 45 | --- refpolicy.orig/policy/modules/system/logging.te |
| 53 | +++ b/policy/modules/system/logging.te | 46 | +++ refpolicy/policy/modules/system/logging.te |
| 54 | @@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s | 47 | @@ -396,6 +396,7 @@ allow syslogd_t self:udp_socket create_s |
| 55 | allow syslogd_t self:fifo_file rw_fifo_file_perms; | ||
| 56 | allow syslogd_t self:udp_socket create_socket_perms; | ||
| 57 | allow syslogd_t self:tcp_socket create_stream_socket_perms; | 48 | allow syslogd_t self:tcp_socket create_stream_socket_perms; |
| 58 | 49 | ||
| 59 | allow syslogd_t syslog_conf_t:file read_file_perms; | 50 | allow syslogd_t syslog_conf_t:file read_file_perms; |
| 60 | +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; | 51 | +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; |
| 52 | allow syslogd_t syslog_conf_t:dir list_dir_perms; | ||
| 61 | 53 | ||
| 62 | # Create and bind to /dev/log or /var/run/log. | 54 | # Create and bind to /dev/log or /var/run/log. |
| 63 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | ||
| 64 | files_pid_filetrans(syslogd_t, devlog_t, sock_file) | ||
| 65 | init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") | ||
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index 75a5fa2..4a05a2a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch | |||
| @@ -16,11 +16,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 16 | policy/modules/system/logging.te | 1 + | 16 | policy/modules/system/logging.te | 1 + |
| 17 | 3 files changed, 15 insertions(+), 1 deletion(-) | 17 | 3 files changed, 15 insertions(+), 1 deletion(-) |
| 18 | 18 | ||
| 19 | --- a/policy/modules/system/logging.fc | 19 | Index: refpolicy/policy/modules/system/logging.fc |
| 20 | +++ b/policy/modules/system/logging.fc | 20 | =================================================================== |
| 21 | @@ -51,10 +51,11 @@ ifdef(`distro_suse', ` | 21 | --- refpolicy.orig/policy/modules/system/logging.fc |
| 22 | 22 | +++ refpolicy/policy/modules/system/logging.fc | |
| 23 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 23 | @@ -53,6 +53,7 @@ ifdef(`distro_suse', ` |
| 24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
| 25 | 25 | ||
| 26 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | 26 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) |
| @@ -28,32 +28,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 28 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | 28 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) |
| 29 | /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) | 29 | /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) |
| 30 | /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | 30 | /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) |
| 31 | /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | 31 | Index: refpolicy/policy/modules/system/logging.if |
| 32 | /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) | 32 | =================================================================== |
| 33 | --- a/policy/modules/system/logging.if | 33 | --- refpolicy.orig/policy/modules/system/logging.if |
| 34 | +++ b/policy/modules/system/logging.if | 34 | +++ refpolicy/policy/modules/system/logging.if |
| 35 | @@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters' | 35 | @@ -945,10 +945,12 @@ interface(`logging_append_all_inherited_ |
| 36 | ## </param> | ||
| 37 | ## <rolecap/> | ||
| 38 | # | ||
| 39 | interface(`logging_read_audit_log',` | ||
| 40 | gen_require(` | ||
| 41 | - type auditd_log_t; | ||
| 42 | + type auditd_log_t, var_log_t; | ||
| 43 | ') | ||
| 44 | |||
| 45 | files_search_var($1) | ||
| 46 | read_files_pattern($1, auditd_log_t, auditd_log_t) | ||
| 47 | allow $1 auditd_log_t:dir list_dir_perms; | ||
| 48 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
| 49 | ') | ||
| 50 | |||
| 51 | ######################################## | ||
| 52 | ## <summary> | ||
| 53 | ## Execute auditctl in the auditctl domain. | ||
| 54 | @@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_ | ||
| 55 | ## <rolecap/> | ||
| 56 | # | ||
| 57 | interface(`logging_read_all_logs',` | 36 | interface(`logging_read_all_logs',` |
| 58 | gen_require(` | 37 | gen_require(` |
| 59 | attribute logfile; | 38 | attribute logfile; |
| @@ -66,11 +45,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 66 | read_files_pattern($1, logfile, logfile) | 45 | read_files_pattern($1, logfile, logfile) |
| 67 | ') | 46 | ') |
| 68 | 47 | ||
| 69 | ######################################## | 48 | @@ -967,10 +969,12 @@ interface(`logging_read_all_logs',` |
| 70 | ## <summary> | ||
| 71 | @@ -972,14 +975,16 @@ interface(`logging_read_all_logs',` | ||
| 72 | # cjp: not sure why this is needed. This was added | ||
| 73 | # because of logrotate. | ||
| 74 | interface(`logging_exec_all_logs',` | 49 | interface(`logging_exec_all_logs',` |
| 75 | gen_require(` | 50 | gen_require(` |
| 76 | attribute logfile; | 51 | attribute logfile; |
| @@ -83,11 +58,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 83 | can_exec($1, logfile) | 58 | can_exec($1, logfile) |
| 84 | ') | 59 | ') |
| 85 | 60 | ||
| 86 | ######################################## | 61 | @@ -1072,6 +1076,7 @@ interface(`logging_read_generic_logs',` |
| 87 | ## <summary> | ||
| 88 | @@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',` | ||
| 89 | type var_log_t; | ||
| 90 | ') | ||
| 91 | 62 | ||
| 92 | files_search_var($1) | 63 | files_search_var($1) |
| 93 | allow $1 var_log_t:dir list_dir_perms; | 64 | allow $1 var_log_t:dir list_dir_perms; |
| @@ -95,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 95 | read_files_pattern($1, var_log_t, var_log_t) | 66 | read_files_pattern($1, var_log_t, var_log_t) |
| 96 | ') | 67 | ') |
| 97 | 68 | ||
| 98 | ######################################## | 69 | @@ -1173,6 +1178,7 @@ interface(`logging_manage_generic_logs', |
| 99 | ## <summary> | ||
| 100 | @@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs', | ||
| 101 | type var_log_t; | ||
| 102 | ') | ||
| 103 | 70 | ||
| 104 | files_search_var($1) | 71 | files_search_var($1) |
| 105 | manage_files_pattern($1, var_log_t, var_log_t) | 72 | manage_files_pattern($1, var_log_t, var_log_t) |
| @@ -107,13 +74,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 107 | ') | 74 | ') |
| 108 | 75 | ||
| 109 | ######################################## | 76 | ######################################## |
| 110 | ## <summary> | 77 | Index: refpolicy/policy/modules/system/logging.te |
| 111 | ## All of the rules required to administrate | 78 | =================================================================== |
| 112 | --- a/policy/modules/system/logging.te | 79 | --- refpolicy.orig/policy/modules/system/logging.te |
| 113 | +++ b/policy/modules/system/logging.te | 80 | +++ refpolicy/policy/modules/system/logging.te |
| 114 | @@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi | 81 | @@ -159,6 +159,7 @@ manage_files_pattern(auditd_t, auditd_lo |
| 115 | |||
| 116 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
| 117 | allow auditd_t auditd_log_t:dir setattr; | 82 | allow auditd_t auditd_log_t:dir setattr; |
| 118 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 83 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
| 119 | allow auditd_t var_log_t:dir search_dir_perms; | 84 | allow auditd_t var_log_t:dir search_dir_perms; |
| @@ -121,5 +86,3 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | |||
| 121 | 86 | ||
| 122 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | 87 | manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) |
| 123 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) | 88 | manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) |
| 124 | files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) | ||
| 125 | |||
diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 21e3a4c..9c62da3 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc | |||
| @@ -1,3 +1,5 @@ | |||
| 1 | PV = "2.20170805+git${SRCPV}" | ||
| 2 | |||
| 1 | SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" | 3 | SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" |
| 2 | SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib" | 4 | SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib" |
| 3 | 5 | ||