summaryrefslogtreecommitdiffstats
path: root/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
diff options
context:
space:
mode:
authorJoe MacDonald <joe@deserted.net>2019-04-08 13:50:40 -0400
committerJoe MacDonald <joe@deserted.net>2019-04-10 10:57:14 -0400
commit776da889b550ac9e5be414a8cc10fd86b1923264 (patch)
tree79771fa29c551e934321434f4b5f3da7a27fd91f /recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
parenta6a3cadb1ef3203a123d8f5f9df27832f55b2ce3 (diff)
downloadmeta-selinux-jjm/RELEASE_2.20190201.tar.gz
refpolicy: update to 2.20190201 and git HEAD policiesjjm/RELEASE_2.20190201
Additionally, the README has fallen out of date, update it to reflect the current reality of layer dependencies. Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch')
-rw-r--r--recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch36
1 files changed, 36 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
new file mode 100644
index 0000000..a494671
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-git/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch
@@ -0,0 +1,36 @@
1From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001
2From: Xin Ouyang <Xin.Ouyang@windriver.com>
3Date: Fri, 23 Aug 2013 11:20:00 +0800
4Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
5 symlinks in /var/
6
7Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
8/var for poky, so we need allow rules for all domains to read these
9symlinks. Domains still need their practical allow rules to read the
10contents, so this is still a secure relax.
11
12Upstream-Status: Inappropriate [only for Poky]
13
14Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
15Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
16---
17 policy/modules/kernel/domain.te | 3 +++
18 1 file changed, 3 insertions(+)
19
20diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
21index 1a55e3d2..babb794f 100644
22--- a/policy/modules/kernel/domain.te
23+++ b/policy/modules/kernel/domain.te
24@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
25 # list the root directory
26 files_list_root(domain)
27
28+# Yocto/oe-core use some var volatile links
29+files_read_var_symlinks(domain)
30+
31 ifdef(`hide_broken_symptoms',`
32 # This check is in the general socket
33 # listen code, before protocol-specific
34--
352.19.1
36