diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch | 70 |
1 files changed, 0 insertions, 70 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch deleted file mode 100644 index de9180a..0000000 --- a/recipes-security/refpolicy/refpolicy-git/0009-refpolicy-minimum-systemd-fix-for-syslog.patch +++ /dev/null | |||
@@ -1,70 +0,0 @@ | |||
1 | From 3c7c492f060212bf7c854a27ffa6afa5035f4862 Mon Sep 17 00:00:00 2001 | ||
2 | From: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
3 | Date: Fri, 26 Aug 2016 17:54:29 +0530 | ||
4 | Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog | ||
5 | |||
6 | syslog & getty related allow rules required to fix the syslog mixup with | ||
7 | boot log, while using systemd as init manager. | ||
8 | |||
9 | without this change we are getting these avc denials: | ||
10 | |||
11 | audit: avc: denied { search } for pid=484 comm="syslogd" name="/" | ||
12 | dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext= | ||
13 | system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
14 | |||
15 | audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev= | ||
16 | "tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u: | ||
17 | object_r:tmpfs_t:s0 tclass=dir permissive=0 | ||
18 | |||
19 | audit: avc: denied { add_name } for pid=390 comm="syslogd" name= | ||
20 | "messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r | ||
21 | :tmpfs_t:s0 tclass=dir permissive=0 | ||
22 | |||
23 | audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd | ||
24 | /journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u: | ||
25 | system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0 | ||
26 | |||
27 | audit: avc: denied { create } for pid=374 comm="syslogd" name="messages" | ||
28 | scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t: | ||
29 | s0 tclass=file permissive=0 | ||
30 | |||
31 | audit: avc: denied { append } for pid=423 comm="syslogd" name="messages" | ||
32 | dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext= | ||
33 | system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
34 | |||
35 | audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/ | ||
36 | volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r: | ||
37 | syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 | ||
38 | |||
39 | Upstream-Status: Pending | ||
40 | |||
41 | Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> | ||
42 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
43 | --- | ||
44 | policy/modules/system/getty.te | 1 + | ||
45 | policy/modules/system/logging.te | 3 ++- | ||
46 | 2 files changed, 3 insertions(+), 1 deletion(-) | ||
47 | |||
48 | diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te | ||
49 | index 423db0cc..9ab03956 100644 | ||
50 | --- a/policy/modules/system/getty.te | ||
51 | +++ b/policy/modules/system/getty.te | ||
52 | @@ -132,3 +132,4 @@ optional_policy(` | ||
53 | |||
54 | allow getty_t tmpfs_t:dir search; | ||
55 | allow getty_t tmpfs_t:file { open write lock }; | ||
56 | +allow getty_t initrc_t:unix_dgram_socket sendto; | ||
57 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
58 | index 98c2bd19..6a94ac12 100644 | ||
59 | --- a/policy/modules/system/logging.te | ||
60 | +++ b/policy/modules/system/logging.te | ||
61 | @@ -632,4 +632,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto; | ||
62 | allow syslogd_t self:shm create; | ||
63 | allow syslogd_t self:sem { create read unix_write write }; | ||
64 | allow syslogd_t self:shm { read unix_read unix_write write }; | ||
65 | -allow syslogd_t tmpfs_t:file { read write }; | ||
66 | +allow syslogd_t tmpfs_t:file { read write create getattr append open }; | ||
67 | +allow syslogd_t tmpfs_t:dir { search write add_name }; | ||
68 | -- | ||
69 | 2.19.1 | ||
70 | |||