1 files changed, 0 insertions, 185 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
deleted file mode 100644
index a7161d5..0000000
--- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch
+++ /dev/null
@@ -1,185 +0,0 @@
-From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
-From: Xin Ouyang <Xin.Ouyang@windriver.com>
-Date: Thu, 22 Aug 2013 13:37:23 +0800
-Subject: [PATCH 2/6] add rules for the symlink of /var/log
-/var/log is a symlink in poky, so we need allow rules for files to read
-lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
-Upstream-Status: Inappropriate [only for Poky]
-Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
-Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
- policy/modules/system/logging.fc |    1 +
- policy/modules/system/logging.if |   14 +++++++++++++-
- policy/modules/system/logging.te |    1 +
- 3 files changed, 15 insertions(+), 1 deletion(-)
--- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
- 
- /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
- /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
- 
- /var/log               -d      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
-+/var/log               -l      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
- /var/log/.*                    gen_context(system_u:object_r:var_log_t,s0)
- /var/log/boot\.log     --      gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/messages[^/]*         gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/secure[^/]*           gen_context(system_u:object_r:var_log_t,mls_systemhigh)
- /var/log/maillog[^/]*          gen_context(system_u:object_r:var_log_t,mls_systemhigh)
--- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
- ## </param>
- ## <rolecap/>
- #
- interface(`logging_read_audit_log',`
-        gen_require(`
-               type auditd_log_t;
-+               type auditd_log_t, var_log_t;
-        ')
- 
-        files_search_var($1)
-        read_files_pattern($1, auditd_log_t, auditd_log_t)
-        allow $1 auditd_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     Execute auditctl in the auditctl domain.
-@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir search_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Do not audit attempts to search the var log directory.
-@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Read and write the generic log directory (/var/log).
-@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir rw_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Search through all log dirs.
-@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
- ## <rolecap/>
- #
- interface(`logging_read_all_logs',`
-        gen_require(`
-                attribute logfile;
-+               type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 logfile:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        read_files_pattern($1, logfile, logfile)
- ')
- 
- ########################################
- ## <summary>
-@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
- # cjp: not sure why this is needed.  This was added
- # because of logrotate.
- interface(`logging_exec_all_logs',`
-        gen_require(`
-                attribute logfile;
-+               type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 logfile:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        can_exec($1, logfile)
- ')
- 
- ########################################
- ## <summary>
-@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        read_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        write_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        rw_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        manage_files_pattern($1, var_log_t, var_log_t)
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- ########################################
- ## <summary>
- ##     All of the rules required to administrate
--- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -151,10 +151,11 @@ allow auditd_t auditd_etc_t:file read_fi
- 
- manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t auditd_log_t:dir setattr;
- manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
- allow auditd_t var_log_t:dir search_dir_perms;
-+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
- 
- manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
- files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
-

diff --git a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch deleted file mode 100644 index a7161d5..0000000 --- a/recipes-security/refpolicy/refpolicy-2.20170204/poky-policy-add-rules-for-var-log-symlink.patch +++ /dev/null
@@ -1,185 +0,0 @@
1	From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
3	Date: Thu, 22 Aug 2013 13:37:23 +0800
4	Subject: [PATCH 2/6] add rules for the symlink of /var/log
5
6	/var/log is a symlink in poky, so we need allow rules for files to read
7	lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
8
9	Upstream-Status: Inappropriate [only for Poky]
10
11	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
12	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
13	---
14	policy/modules/system/logging.fc \| 1 +
15	policy/modules/system/logging.if \| 14 +++++++++++++-
16	policy/modules/system/logging.te \| 1 +
17	3 files changed, 15 insertions(+), 1 deletion(-)
18
19	--- a/policy/modules/system/logging.fc
20	+++ b/policy/modules/system/logging.fc
21	@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
22
23	/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
24	/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
25
26	/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
27	+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
28	/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
29	/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
30	/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
31	/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
32	/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
33	--- a/policy/modules/system/logging.if
34	+++ b/policy/modules/system/logging.if
35	@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
36	## </param>
37	## <rolecap/>
38	#
39	interface(`logging_read_audit_log',`
40	gen_require(`
41	- type auditd_log_t;
42	+ type auditd_log_t, var_log_t;
43	')
44
45	files_search_var($1)
46	read_files_pattern($1, auditd_log_t, auditd_log_t)
47	allow $1 auditd_log_t:dir list_dir_perms;
48	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
49	')
50
51	########################################
52	## <summary>
53	## Execute auditctl in the auditctl domain.
54	@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
55	type var_log_t;
56	')
57
58	files_search_var($1)
59	allow $1 var_log_t:dir search_dir_perms;
60	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
61	')
62
63	#######################################
64	## <summary>
65	## Do not audit attempts to search the var log directory.
66	@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
67	type var_log_t;
68	')
69
70	files_search_var($1)
71	allow $1 var_log_t:dir list_dir_perms;
72	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
73	')
74
75	#######################################
76	## <summary>
77	## Read and write the generic log directory (/var/log).
78	@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
79	type var_log_t;
80	')
81
82	files_search_var($1)
83	allow $1 var_log_t:dir rw_dir_perms;
84	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
85	')
86
87	#######################################
88	## <summary>
89	## Search through all log dirs.
90	@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
91	## <rolecap/>
92	#
93	interface(`logging_read_all_logs',`
94	gen_require(`
95	attribute logfile;
96	+ type var_log_t;
97	')
98
99	files_search_var($1)
100	allow $1 logfile:dir list_dir_perms;
101	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
102	read_files_pattern($1, logfile, logfile)
103	')
104
105	########################################
106	## <summary>
107	@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
108	# cjp: not sure why this is needed. This was added
109	# because of logrotate.
110	interface(`logging_exec_all_logs',`
111	gen_require(`
112	attribute logfile;
113	+ type var_log_t;
114	')
115
116	files_search_var($1)
117	allow $1 logfile:dir list_dir_perms;
118	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
119	can_exec($1, logfile)
120	')
121
122	########################################
123	## <summary>
124	@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
125	type var_log_t;
126	')
127
128	files_search_var($1)
129	allow $1 var_log_t:dir list_dir_perms;
130	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
131	read_files_pattern($1, var_log_t, var_log_t)
132	')
133
134	########################################
135	## <summary>
136	@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
137	type var_log_t;
138	')
139
140	files_search_var($1)
141	allow $1 var_log_t:dir list_dir_perms;
142	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
143	write_files_pattern($1, var_log_t, var_log_t)
144	')
145
146	########################################
147	## <summary>
148	@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
149	type var_log_t;
150	')
151
152	files_search_var($1)
153	allow $1 var_log_t:dir list_dir_perms;
154	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
155	rw_files_pattern($1, var_log_t, var_log_t)
156	')
157
158	########################################
159	## <summary>
160	@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
161	type var_log_t;
162	')
163
164	files_search_var($1)
165	manage_files_pattern($1, var_log_t, var_log_t)
166	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
167	')
168
169	########################################
170	## <summary>
171	## All of the rules required to administrate
172	--- a/policy/modules/system/logging.te
173	+++ b/policy/modules/system/logging.te
174	@@ -151,10 +151,11 @@ allow auditd_t auditd_etc_t:file read_fi
175
176	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
177	allow auditd_t auditd_log_t:dir setattr;
178	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
179	allow auditd_t var_log_t:dir search_dir_perms;
180	+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
181
182	manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
183	manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
184	files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
185