1 files changed, 96 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
new file mode 100644
index 0000000..98b6156
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,96 @@
+From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:37 +0530
+Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
+ add allow rules
+add allow rules for avc denails for systemd, mount, logging & authlogin
+modules.
+without this change we are getting avc denial like these:
+type=AVC msg=audit(): avc:  denied  { sendto } for pid=893 comm="systemd-
+tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
+systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
+unix_dgram_socket permissive=0
+type=AVC msg=audit(): avc:  denied  { open } for  pid=703 comm="systemd-
+tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
+system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
+file permissive=0
+type=AVC msg=audit(): avc:  denied  { read write } for  pid=486 comm="mount"
+path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
+mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
+type=AVC msg=audit(): avc:  denied  { unix_read unix_write } for  pid=292
+comm="syslogd" key=1095648583  scontext=system_u:system_r:syslogd_t:s0
+tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
+Upstream-Status: Pending
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+---
+ policy/modules/system/authlogin.te | 2 ++
+ policy/modules/system/logging.te   | 7 ++++++-
+ policy/modules/system/mount.te     | 3 +++
+ policy/modules/system/systemd.te   | 5 +++++
+ 4 files changed, 16 insertions(+), 1 deletion(-)
+diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
+index 345e07f3..39f860e0 100644
+--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
+@@ -472,3 +472,5 @@ optional_policy(`
+        samba_read_var_files(nsswitch_domain)
+        samba_dontaudit_write_var_files(nsswitch_domain)
+ ')
+
+allow chkpwd_t proc_t:filesystem getattr;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8ab46925..520f7da6 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
+ allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
+ allow auditd_t initrc_t:unix_dgram_socket sendto;
+ 
+-allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
+allow klogd_t initrc_t:unix_dgram_socket sendto;
+
+allow syslogd_t self:shm create;
+allow syslogd_t self:sem { create read unix_write write };
+allow syslogd_t self:shm { read unix_read unix_write write };
+allow syslogd_t tmpfs_t:file { read write };
+diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
+index 3dcb8493..a87d0e82 100644
+--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
+@@ -231,3 +231,6 @@ optional_policy(`
+        files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
+        unconfined_domain(unconfined_mount_t)
+ ')
+
+allow mount_t proc_t:filesystem getattr;
+allow mount_t initrc_t:udp_socket { read write };
+diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
+index a6f09dfd..68b80de3 100644
+--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
+@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
+ allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+ 
+allow systemd_tmpfiles_t init_t:dir search;
+allow systemd_tmpfiles_t proc_t:filesystem getattr;
+allow systemd_tmpfiles_t init_t:file read;
+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
+
+ kernel_getattr_proc(systemd_tmpfiles_t)
+ kernel_read_kernel_sysctls(systemd_tmpfiles_t)
+ kernel_read_network_state(systemd_tmpfiles_t)
+-- 
+2.19.1

diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch new file mode 100644 index 0000000..98b6156 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0004-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch
@@ -0,0 +1,96 @@
	1	From 5694d5bdc5ff824c4d5848dcd61cf021305b5e00 Mon Sep 17 00:00:00 2001
	2	From: Shrikant Bobade <shrikant_bobade@mentor.com>
	3	Date: Fri, 26 Aug 2016 17:53:37 +0530
	4	Subject: [PATCH 4/9] refpolicy-minimum: systemd: mount: logging: authlogin:
	5	add allow rules
	6
	7	add allow rules for avc denails for systemd, mount, logging & authlogin
	8	modules.
	9
	10	without this change we are getting avc denial like these:
	11
	12	type=AVC msg=audit(): avc: denied { sendto } for pid=893 comm="systemd-
	13	tmpfile" path="/run/systemd/journal/socket" scontext=system_u:system_r:
	14	systemd_tmpfiles_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=
	15	unix_dgram_socket permissive=0
	16
	17	type=AVC msg=audit(): avc: denied { open } for pid=703 comm="systemd-
	18	tmpfile" path="/proc/1/environ" dev="proc" ino=8841 scontext=system_u:
	19	system_r:systemd_tmpfiles_t:s0 tcontext=system_u:system_r:init_t:s0 tclass=
	20	file permissive=0
	21
	22	type=AVC msg=audit(): avc: denied { read write } for pid=486 comm="mount"
	23	path="socket:[9717]" dev="sockfs" ino=9717 scontext=system_u:system_r:
	24	mount_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=udp_socket
	25
	26	type=AVC msg=audit(): avc: denied { unix_read unix_write } for pid=292
	27	comm="syslogd" key=1095648583 scontext=system_u:system_r:syslogd_t:s0
	28	tcontext=system_u:system_r:syslogd_t:s0 tclass=shm permissive=1
	29
	30	Upstream-Status: Pending
	31
	32	Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
	33	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	34	---
	35	policy/modules/system/authlogin.te \| 2 ++
	36	policy/modules/system/logging.te \| 7 ++++++-
	37	policy/modules/system/mount.te \| 3 +++
	38	policy/modules/system/systemd.te \| 5 +++++
	39	4 files changed, 16 insertions(+), 1 deletion(-)
	40
	41	diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
	42	index 345e07f3..39f860e0 100644
	43	--- a/policy/modules/system/authlogin.te
	44	+++ b/policy/modules/system/authlogin.te
	45	@@ -472,3 +472,5 @@ optional_policy(`
	46	samba_read_var_files(nsswitch_domain)
	47	samba_dontaudit_write_var_files(nsswitch_domain)
	48	')
	49	+
	50	+allow chkpwd_t proc_t:filesystem getattr;
	51	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
	52	index 8ab46925..520f7da6 100644
	53	--- a/policy/modules/system/logging.te
	54	+++ b/policy/modules/system/logging.te
	55	@@ -627,4 +627,9 @@ allow auditd_t tmpfs_t:file { getattr setattr create open read append };
	56	allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
	57	allow auditd_t initrc_t:unix_dgram_socket sendto;
	58
	59	-allow klogd_t initrc_t:unix_dgram_socket sendto;
	60	\ No newline at end of file
	61	+allow klogd_t initrc_t:unix_dgram_socket sendto;
	62	+
	63	+allow syslogd_t self:shm create;
	64	+allow syslogd_t self:sem { create read unix_write write };
	65	+allow syslogd_t self:shm { read unix_read unix_write write };
	66	+allow syslogd_t tmpfs_t:file { read write };
	67	diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
	68	index 3dcb8493..a87d0e82 100644
	69	--- a/policy/modules/system/mount.te
	70	+++ b/policy/modules/system/mount.te
	71	@@ -231,3 +231,6 @@ optional_policy(`
	72	files_etc_filetrans_etc_runtime(unconfined_mount_t, file)
	73	unconfined_domain(unconfined_mount_t)
	74	')
	75	+
	76	+allow mount_t proc_t:filesystem getattr;
	77	+allow mount_t initrc_t:udp_socket { read write };
	78	diff --git a/policy/modules/system/systemd.te b/policy/modules/system/systemd.te
	79	index a6f09dfd..68b80de3 100644
	80	--- a/policy/modules/system/systemd.te
	81	+++ b/policy/modules/system/systemd.te
	82	@@ -993,6 +993,11 @@ allow systemd_tmpfiles_t systemd_journal_t:file { relabelfrom relabelto };
	83	allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
	84	allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
	85
	86	+allow systemd_tmpfiles_t init_t:dir search;
	87	+allow systemd_tmpfiles_t proc_t:filesystem getattr;
	88	+allow systemd_tmpfiles_t init_t:file read;
	89	+allow systemd_tmpfiles_t initrc_t:unix_dgram_socket sendto;
	90	+
	91	kernel_getattr_proc(systemd_tmpfiles_t)
	92	kernel_read_kernel_sysctls(systemd_tmpfiles_t)
	93	kernel_read_network_state(systemd_tmpfiles_t)
	94	--
	95	2.19.1
	96