diff options
| author | Yi Zhao <yi.zhao@windriver.com> | 2023-07-27 14:07:48 -0400 |
|---|---|---|
| committer | Joe MacDonald <joe@deserted.net> | 2023-07-31 15:05:30 -0400 |
| commit | 1924d975283210f0c36bc3c0e8ce516ccc06961f (patch) | |
| tree | 494be7575b6219b816613ddefb6072973d8e78d4 /recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch | |
| parent | 4f3ec6e10f13aaf19fbca9a18547f9e72ba1ec0a (diff) | |
| download | meta-selinux-dunfell.tar.gz | |
refpolicy: update to 20200229+gitdunfell
* Drop obsolete and unused patches.
* Rebase patches.
* Add patches to make systemd and sysvinit can work with all policy types.
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
(cherry picked from commit 15fed8756aa4828fa12a3d813754b4ca65a7607d)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Joe MacDonald <joe@deserted.net>
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch')
| -rw-r--r-- | recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch | 37 |
1 files changed, 37 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch b/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch new file mode 100644 index 0000000..90995dc --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0033-policy-modules-system-logging-add-domain-rules-for-t.patch | |||
| @@ -0,0 +1,37 @@ | |||
| 1 | From 0385f2374297ab2b8799fe1ec28d12e1682ec074 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
| 3 | Date: Fri, 23 Aug 2013 11:20:00 +0800 | ||
| 4 | Subject: [PATCH] policy/modules/system/logging: add domain rules for the | ||
| 5 | subdir symlinks in /var/ | ||
| 6 | |||
| 7 | Except /var/log,/var/run,/var/lock, there still other subdir symlinks in | ||
| 8 | /var for poky, so we need allow rules for all domains to read these | ||
| 9 | symlinks. Domains still need their practical allow rules to read the | ||
| 10 | contents, so this is still a secure relax. | ||
| 11 | |||
| 12 | Upstream-Status: Inappropriate [embedded specific] | ||
| 13 | |||
| 14 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
| 15 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
| 16 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
| 17 | --- | ||
| 18 | policy/modules/kernel/domain.te | 3 +++ | ||
| 19 | 1 file changed, 3 insertions(+) | ||
| 20 | |||
| 21 | diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te | ||
| 22 | index 4e43a208d..7e5d2b458 100644 | ||
| 23 | --- a/policy/modules/kernel/domain.te | ||
| 24 | +++ b/policy/modules/kernel/domain.te | ||
| 25 | @@ -110,6 +110,9 @@ term_use_controlling_term(domain) | ||
| 26 | # list the root directory | ||
| 27 | files_list_root(domain) | ||
| 28 | |||
| 29 | +# Yocto/oe-core use some var volatile links | ||
| 30 | +files_read_var_symlinks(domain) | ||
| 31 | + | ||
| 32 | ifdef(`hide_broken_symptoms',` | ||
| 33 | # This check is in the general socket | ||
| 34 | # listen code, before protocol-specific | ||
| 35 | -- | ||
| 36 | 2.17.1 | ||
| 37 | |||