1 files changed, 8 insertions, 67 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
index a9ae381..19342f5 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
 Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
 ---
 policy/modules/system/logging.fc |    1 +
 policy/modules/system/logging.if |   14 +++++++++++++-
@@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
+@@ -39,10 +39,11 @@ ifdef(`distro_suse', `
 
 /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
@@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ########################################
 ## <summary>
 ##     Execute auditctl in the auditctl domain.
-@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
+@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir search_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Do not audit attempts to search the var log directory.
-@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Read and write the generic log directory (/var/log).
-@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir rw_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
- ')
- 
- #######################################
- ## <summary>
- ##     Search through all log dirs.
-@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
 ## <rolecap/>
 #
 interface(`logging_read_all_logs',`
@@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
+@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',`
 # cjp: not sure why this is needed.  This was added
 # because of logrotate.
 interface(`logging_exec_all_logs',`
@@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
+@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',`
                type var_log_t;
        ')
 
@@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 
 ########################################
 ## <summary>
-@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
+@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs',
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        write_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
-                type var_log_t;
-        ')
- 
-        files_search_var($1)
-        allow $1 var_log_t:dir list_dir_perms;
-+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
-        rw_files_pattern($1, var_log_t, var_log_t)
- ')
- 
- ########################################
- ## <summary>
-@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
                type var_log_t;
        ')
 
@@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ##     All of the rules required to administrate
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir
+@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi
- allow auditd_t auditd_etc_t:file read_file_perms;
 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t var_log_t:dir search_dir_perms;
 +allow auditd_t var_log_t:lnk_file read_lnk_file_perms;

diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index a9ae381..19342f5 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
@@ -9,6 +9,7 @@ lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
9	Upstream-Status: Inappropriate [only for Poky]	9	Upstream-Status: Inappropriate [only for Poky]
10		10
11	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	11	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		12	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
12	---	13	---
13	policy/modules/system/logging.fc \| 1 +	14	policy/modules/system/logging.fc \| 1 +
14	policy/modules/system/logging.if \| 14 +++++++++++++-	15	policy/modules/system/logging.if \| 14 +++++++++++++-
@@ -17,7 +18,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
17		18
18	--- a/policy/modules/system/logging.fc	19	--- a/policy/modules/system/logging.fc
19	+++ b/policy/modules/system/logging.fc	20	+++ b/policy/modules/system/logging.fc
20	@@ -49,10 +49,11 @@ ifdef(`distro_suse', `	21	@@ -39,10 +39,11 @@ ifdef(`distro_suse', `
21		22
22	/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)	23	/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
23	/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)	24	/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
@@ -50,43 +51,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
50	########################################	51	########################################
51	## <summary>	52	## <summary>
52	## Execute auditctl in the auditctl domain.	53	## Execute auditctl in the auditctl domain.
53	@@ -665,10 +666,11 @@ interface(`logging_search_logs',`	54	@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_
54	type var_log_t;
55	')
56
57	files_search_var($1)
58	allow $1 var_log_t:dir search_dir_perms;
59	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
60	')
61
62	#######################################
63	## <summary>
64	## Do not audit attempts to search the var log directory.
65	@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
66	type var_log_t;
67	')
68
69	files_search_var($1)
70	allow $1 var_log_t:dir list_dir_perms;
71	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
72	')
73
74	#######################################
75	## <summary>
76	## Read and write the generic log directory (/var/log).
77	@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
78	type var_log_t;
79	')
80
81	files_search_var($1)
82	allow $1 var_log_t:dir rw_dir_perms;
83	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
84	')
85
86	#######################################
87	## <summary>
88	## Search through all log dirs.
89	@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
90	## <rolecap/>	55	## <rolecap/>
91	#	56	#
92	interface(`logging_read_all_logs',`	57	interface(`logging_read_all_logs',`
@@ -103,7 +68,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
103		68
104	########################################	69	########################################
105	## <summary>	70	## <summary>
106	@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`	71	@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',`
107	# cjp: not sure why this is needed. This was added	72	# cjp: not sure why this is needed. This was added
108	# because of logrotate.	73	# because of logrotate.
109	interface(`logging_exec_all_logs',`	74	interface(`logging_exec_all_logs',`
@@ -120,7 +85,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
120		85
121	########################################	86	########################################
122	## <summary>	87	## <summary>
123	@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`	88	@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',`
124	type var_log_t;	89	type var_log_t;
125	')	90	')
126		91
@@ -132,31 +97,7 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
132		97
133	########################################	98	########################################
134	## <summary>	99	## <summary>
135	@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`	100	@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs',
136	type var_log_t;
137	')
138
139	files_search_var($1)
140	allow $1 var_log_t:dir list_dir_perms;
141	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
142	write_files_pattern($1, var_log_t, var_log_t)
143	')
144
145	########################################
146	## <summary>
147	@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
148	type var_log_t;
149	')
150
151	files_search_var($1)
152	allow $1 var_log_t:dir list_dir_perms;
153	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
154	rw_files_pattern($1, var_log_t, var_log_t)
155	')
156
157	########################################
158	## <summary>
159	@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
160	type var_log_t;	101	type var_log_t;
161	')	102	')
162		103
@@ -170,10 +111,10 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
170	## All of the rules required to administrate	111	## All of the rules required to administrate
171	--- a/policy/modules/system/logging.te	112	--- a/policy/modules/system/logging.te
172	+++ b/policy/modules/system/logging.te	113	+++ b/policy/modules/system/logging.te
173	@@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir	114	@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi
174	allow auditd_t auditd_etc_t:file read_file_perms;
175		115
176	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)	116	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
		117	allow auditd_t auditd_log_t:dir setattr;
177	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)	118	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
178	allow auditd_t var_log_t:dir search_dir_perms;	119	allow auditd_t var_log_t:dir search_dir_perms;
179	+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;	120	+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;