diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch | 75 |
1 files changed, 8 insertions, 67 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index a9ae381..19342f5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch | |||
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory. | |||
9 | Upstream-Status: Inappropriate [only for Poky] | 9 | Upstream-Status: Inappropriate [only for Poky] |
10 | 10 | ||
11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | 11 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> |
12 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
12 | --- | 13 | --- |
13 | policy/modules/system/logging.fc | 1 + | 14 | policy/modules/system/logging.fc | 1 + |
14 | policy/modules/system/logging.if | 14 +++++++++++++- | 15 | policy/modules/system/logging.if | 14 +++++++++++++- |
@@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
17 | 18 | ||
18 | --- a/policy/modules/system/logging.fc | 19 | --- a/policy/modules/system/logging.fc |
19 | +++ b/policy/modules/system/logging.fc | 20 | +++ b/policy/modules/system/logging.fc |
20 | @@ -49,10 +49,11 @@ ifdef(`distro_suse', ` | 21 | @@ -39,10 +39,11 @@ ifdef(`distro_suse', ` |
21 | 22 | ||
22 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 23 | /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
23 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | 24 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) |
@@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
50 | ######################################## | 51 | ######################################## |
51 | ## <summary> | 52 | ## <summary> |
52 | ## Execute auditctl in the auditctl domain. | 53 | ## Execute auditctl in the auditctl domain. |
53 | @@ -665,10 +666,11 @@ interface(`logging_search_logs',` | 54 | @@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_ |
54 | type var_log_t; | ||
55 | ') | ||
56 | |||
57 | files_search_var($1) | ||
58 | allow $1 var_log_t:dir search_dir_perms; | ||
59 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
60 | ') | ||
61 | |||
62 | ####################################### | ||
63 | ## <summary> | ||
64 | ## Do not audit attempts to search the var log directory. | ||
65 | @@ -702,10 +704,11 @@ interface(`logging_list_logs',` | ||
66 | type var_log_t; | ||
67 | ') | ||
68 | |||
69 | files_search_var($1) | ||
70 | allow $1 var_log_t:dir list_dir_perms; | ||
71 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
72 | ') | ||
73 | |||
74 | ####################################### | ||
75 | ## <summary> | ||
76 | ## Read and write the generic log directory (/var/log). | ||
77 | @@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs', | ||
78 | type var_log_t; | ||
79 | ') | ||
80 | |||
81 | files_search_var($1) | ||
82 | allow $1 var_log_t:dir rw_dir_perms; | ||
83 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
84 | ') | ||
85 | |||
86 | ####################################### | ||
87 | ## <summary> | ||
88 | ## Search through all log dirs. | ||
89 | @@ -832,14 +836,16 @@ interface(`logging_append_all_logs',` | ||
90 | ## <rolecap/> | 55 | ## <rolecap/> |
91 | # | 56 | # |
92 | interface(`logging_read_all_logs',` | 57 | interface(`logging_read_all_logs',` |
@@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
103 | 68 | ||
104 | ######################################## | 69 | ######################################## |
105 | ## <summary> | 70 | ## <summary> |
106 | @@ -854,14 +860,16 @@ interface(`logging_read_all_logs',` | 71 | @@ -972,14 +975,16 @@ interface(`logging_read_all_logs',` |
107 | # cjp: not sure why this is needed. This was added | 72 | # cjp: not sure why this is needed. This was added |
108 | # because of logrotate. | 73 | # because of logrotate. |
109 | interface(`logging_exec_all_logs',` | 74 | interface(`logging_exec_all_logs',` |
@@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
120 | 85 | ||
121 | ######################################## | 86 | ######################################## |
122 | ## <summary> | 87 | ## <summary> |
123 | @@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',` | 88 | @@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',` |
124 | type var_log_t; | 89 | type var_log_t; |
125 | ') | 90 | ') |
126 | 91 | ||
@@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
132 | 97 | ||
133 | ######################################## | 98 | ######################################## |
134 | ## <summary> | 99 | ## <summary> |
135 | @@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',` | 100 | @@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs', |
136 | type var_log_t; | ||
137 | ') | ||
138 | |||
139 | files_search_var($1) | ||
140 | allow $1 var_log_t:dir list_dir_perms; | ||
141 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
142 | write_files_pattern($1, var_log_t, var_log_t) | ||
143 | ') | ||
144 | |||
145 | ######################################## | ||
146 | ## <summary> | ||
147 | @@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',` | ||
148 | type var_log_t; | ||
149 | ') | ||
150 | |||
151 | files_search_var($1) | ||
152 | allow $1 var_log_t:dir list_dir_perms; | ||
153 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
154 | rw_files_pattern($1, var_log_t, var_log_t) | ||
155 | ') | ||
156 | |||
157 | ######################################## | ||
158 | ## <summary> | ||
159 | @@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs', | ||
160 | type var_log_t; | 101 | type var_log_t; |
161 | ') | 102 | ') |
162 | 103 | ||
@@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | |||
170 | ## All of the rules required to administrate | 111 | ## All of the rules required to administrate |
171 | --- a/policy/modules/system/logging.te | 112 | --- a/policy/modules/system/logging.te |
172 | +++ b/policy/modules/system/logging.te | 113 | +++ b/policy/modules/system/logging.te |
173 | @@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir | 114 | @@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi |
174 | allow auditd_t auditd_etc_t:file read_file_perms; | ||
175 | 115 | ||
176 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 116 | manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
117 | allow auditd_t auditd_log_t:dir setattr; | ||
177 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | 118 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) |
178 | allow auditd_t var_log_t:dir search_dir_perms; | 119 | allow auditd_t var_log_t:dir search_dir_perms; |
179 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | 120 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; |