diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch | 96 |
1 files changed, 96 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch new file mode 100644 index 0000000..98b6156 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch | |||
@@ -0,0 +1,96 @@ | |||
1 | From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:53:37 +0530 | ||
4 | Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin: | ||
5 | add allow rules | ||
6 | |||
7 | add allow rules for avc denails for systemd, mount, logging & authlogin | ||
8 | modules. | ||
9 | |||
10 | without this change we are getting avc denial like these: | ||
11 | |||
12 | type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd- | ||
13 | tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r: | ||
14 | systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass= | ||
15 | unix_dgram_socket permissive=0 | ||
16 | |||
17 | type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd- | ||
18 | tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u: | ||
19 | system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass= | ||
20 | file permissive=0 | ||
21 | |||
22 | type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount" | ||
23 | path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r: | ||
24 | mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket | ||
25 | |||
26 | type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292 | ||
27 | comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0 | ||
28 | tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1 | ||
29 | |||
30 | Upstream-Status: Pending | ||
31 | |||
32 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
33 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
34 | --- | ||
35 | policy/modules/system/authlogin.te | 2 ++ | ||
36 | policy/modules/system/logging.te | 7 ++++++- | ||
37 | policy/modules/system/mount.te | 3 +++ | ||
38 | policy/modules/system/systemd.te | 5 +++++ | ||
39 | 4 files changed, 16 insertions(+), 1 deletion(-) | ||
40 | |||
41 | diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te | ||
42 | index 345e07f3..39f860e0 100644 | ||
43 | --- a/policy/modules/system/authlogin.te | ||
44 | +++ b/policy/modules/system/authlogin.te | ||
45 | @@ -472,3 +472,5 @@ optional_policy(` | ||
46 | samba_read_var_files(nsswitch_domain) | ||
47 | samba_dontaudit_write_var_files(nsswitch_domain) | ||
48 | ') | ||
49 | + | ||
50 | +allow chkpwd_t proc_t:filesystem getattr; | ||
51 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
52 | index 8ab46925..520f7da6 100644 | ||
53 | --- a/policy/modules/system/logging.te | ||
54 | +++ b/policy/modules/system/logging.te | ||
55 | @@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append }; | ||
56 | allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; | ||
57 | allow auditd_t initrc_t:unix_dgram_socket sendto; | ||
58 | |||
59 | -allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
60 | \ No newline at end of file | ||
61 | +allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
62 | + | ||
63 | +allow syslogd_t self:shm create; | ||
64 | +allow syslogd_t self:sem { create read unix_write write }; | ||
65 | +allow syslogd_t self:shm { read unix_read unix_write write }; | ||
66 | +allow syslogd_t tmpfs_t:file { read write }; | ||
67 | diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te | ||
68 | index 3dcb8493..a87d0e82 100644 | ||
69 | --- a/policy/modules/system/mount.te | ||
70 | +++ b/policy/modules/system/mount.te | ||
71 | @@ -231,3 +231,6 @@ optional_policy(` | ||
72 | files_etc_filetrans_etc_runtime(unconfined_mount_t, file) | ||
73 | unconfined_domain(unconfined_mount_t) | ||
74 | ') | ||
75 | + | ||
76 | +allow mount_t proc_t:filesystem getattr; | ||
77 | +allow mount_t initrc_t:udp_socket { read write }; | ||
78 | diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te | ||
79 | index a6f09dfd..68b80de3 100644 | ||
80 | --- a/policy/modules/system/systemd.te | ||
81 | +++ b/policy/modules/system/systemd.te | ||
82 | @@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto }; | ||
83 | allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; | ||
84 | allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; | ||
85 | |||
86 | +allow systemd_tmpfiles_t init_t:dir search; | ||
87 | +allow systemd_tmpfiles_t proc_t:filesystem getattr; | ||
88 | +allow systemd_tmpfiles_t init_t:file read; | ||
89 | +allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto; | ||
90 | + | ||
91 | kernel_getattr_proc(systemd_tmpfiles_t) | ||
92 | kernel_read_kernel_sysctls(systemd_tmpfiles_t) | ||
93 | kernel_read_network_state(systemd_tmpfiles_t) | ||
94 | -- | ||
95 | 2.19.1 | ||
96 | |||