1 files changed, 60 insertions, 21 deletions
diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
index b06f3ef..a9ae381 100644
--- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
@@ -15,11 +15,11 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 policy/modules/system/logging.te |    1 +
 3 files changed, 15 insertions(+), 1 deletion(-)
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index c005f33..9529e40 100644
 --- a/policy/modules/system/logging.fc
 +++ b/policy/modules/system/logging.fc
-@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
+@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
+ 
+ /var/axfrdns/log/main(/.*)?    gen_context(system_u:object_r:var_log_t,s0)
 /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
 
 /var/log               -d      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
@@ -27,11 +27,13 @@ index c005f33..9529e40 100644
 /var/log/.*                    gen_context(system_u:object_r:var_log_t,s0)
 /var/log/boot\.log     --      gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*         gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+ /var/log/secure[^/]*           gen_context(system_u:object_r:var_log_t,mls_systemhigh)
-index 4e94884..9a6f599 100644
+ /var/log/maillog[^/]*          gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
-@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
+@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
+ ## </param>
+ ## <rolecap/>
 #
 interface(`logging_read_audit_log',`
        gen_require(`
@@ -46,7 +48,11 @@ index 4e94884..9a6f599 100644
 ')
 
 ########################################
-@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
+ ## <summary>
+ ##     Execute auditctl in the auditctl domain.
+@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
+                type var_log_t;
+        ')
 
        files_search_var($1)
        allow $1 var_log_t:dir search_dir_perms;
@@ -54,7 +60,11 @@ index 4e94884..9a6f599 100644
 ')
 
 #######################################
-@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
+ ## <summary>
+ ##     Do not audit attempts to search the var log directory.
+@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
+                type var_log_t;
+        ')
 
        files_search_var($1)
        allow $1 var_log_t:dir list_dir_perms;
@@ -62,7 +72,11 @@ index 4e94884..9a6f599 100644
 ')
 
 #######################################
-@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
+ ## <summary>
+ ##     Read and write the generic log directory (/var/log).
+@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
+                type var_log_t;
+        ')
 
        files_search_var($1)
        allow $1 var_log_t:dir rw_dir_perms;
@@ -70,7 +84,11 @@ index 4e94884..9a6f599 100644
 ')
 
 #######################################
-@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`
+ ## <summary>
+ ##     Search through all log dirs.
+@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
+ ## <rolecap/>
+ #
 interface(`logging_read_all_logs',`
        gen_require(`
                attribute logfile;
@@ -83,7 +101,11 @@ index 4e94884..9a6f599 100644
        read_files_pattern($1, logfile, logfile)
 ')
 
-@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`
+ ########################################
+ ## <summary>
+@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
+ # cjp: not sure why this is needed.  This was added
+ # because of logrotate.
 interface(`logging_exec_all_logs',`
        gen_require(`
                attribute logfile;
@@ -96,7 +118,11 @@ index 4e94884..9a6f599 100644
        can_exec($1, logfile)
 ')
 
-@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`
+ ########################################
+ ## <summary>
+@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
+                type var_log_t;
+        ')
 
        files_search_var($1)
        allow $1 var_log_t:dir list_dir_perms;
@@ -104,7 +130,11 @@ index 4e94884..9a6f599 100644
        read_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`
+ ########################################
+ ## <summary>
+@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
+                type var_log_t;
+        ')
 
        files_search_var($1)
        allow $1 var_log_t:dir list_dir_perms;
@@ -112,7 +142,11 @@ index 4e94884..9a6f599 100644
        write_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`
+ ########################################
+ ## <summary>
+@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
+                type var_log_t;
+        ')
 
        files_search_var($1)
        allow $1 var_log_t:dir list_dir_perms;
@@ -120,7 +154,11 @@ index 4e94884..9a6f599 100644
        rw_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`
+ ########################################
+ ## <summary>
+@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
+                type var_log_t;
+        ')
 
        files_search_var($1)
        manage_files_pattern($1, var_log_t, var_log_t)
@@ -128,11 +166,13 @@ index 4e94884..9a6f599 100644
 ')
 
 ########################################
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+ ## <summary>
-index 2ab0a49..2795d89 100644
+ ##     All of the rules required to administrate
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
+@@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir
+ allow auditd_t auditd_etc_t:file read_file_perms;
+ 
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t var_log_t:dir search_dir_perms;
@@ -140,6 +180,5 @@ index 2ab0a49..2795d89 100644
 
 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-- 
+ files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
-1.7.9.5
+

diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index b06f3ef..a9ae381 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch
@@ -15,11 +15,11 @@ Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
15	policy/modules/system/logging.te \| 1 +	15	policy/modules/system/logging.te \| 1 +
16	3 files changed, 15 insertions(+), 1 deletion(-)	16	3 files changed, 15 insertions(+), 1 deletion(-)
17		17
18	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
19	index c005f33..9529e40 100644
20	--- a/policy/modules/system/logging.fc	18	--- a/policy/modules/system/logging.fc
21	+++ b/policy/modules/system/logging.fc	19	+++ b/policy/modules/system/logging.fc
22	@@ -41,6 +41,7 @@ ifdef(`distro_suse', `	20	@@ -49,10 +49,11 @@ ifdef(`distro_suse', `
		21
		22	/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
23	/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)	23	/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
24		24
25	/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)	25	/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
@@ -27,11 +27,13 @@ index c005f33..9529e40 100644
27	/var/log/.* gen_context(system_u:object_r:var_log_t,s0)	27	/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
28	/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)	28	/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
29	/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)	29	/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
30	diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if	30	/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
31	index 4e94884..9a6f599 100644	31	/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
32	--- a/policy/modules/system/logging.if	32	--- a/policy/modules/system/logging.if
33	+++ b/policy/modules/system/logging.if	33	+++ b/policy/modules/system/logging.if
34	@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`	34	@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
		35	## </param>
		36	## <rolecap/>
35	#	37	#
36	interface(`logging_read_audit_log',`	38	interface(`logging_read_audit_log',`
37	gen_require(`	39	gen_require(`
@@ -46,7 +48,11 @@ index 4e94884..9a6f599 100644
46	')	48	')
47		49
48	########################################	50	########################################
49	@@ -626,6 +627,7 @@ interface(`logging_search_logs',`	51	## <summary>
		52	## Execute auditctl in the auditctl domain.
		53	@@ -665,10 +666,11 @@ interface(`logging_search_logs',`
		54	type var_log_t;
		55	')
50		56
51	files_search_var($1)	57	files_search_var($1)
52	allow $1 var_log_t:dir search_dir_perms;	58	allow $1 var_log_t:dir search_dir_perms;
@@ -54,7 +60,11 @@ index 4e94884..9a6f599 100644
54	')	60	')
55		61
56	#######################################	62	#######################################
57	@@ -663,6 +665,7 @@ interface(`logging_list_logs',`	63	## <summary>
		64	## Do not audit attempts to search the var log directory.
		65	@@ -702,10 +704,11 @@ interface(`logging_list_logs',`
		66	type var_log_t;
		67	')
58		68
59	files_search_var($1)	69	files_search_var($1)
60	allow $1 var_log_t:dir list_dir_perms;	70	allow $1 var_log_t:dir list_dir_perms;
@@ -62,7 +72,11 @@ index 4e94884..9a6f599 100644
62	')	72	')
63		73
64	#######################################	74	#######################################
65	@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`	75	## <summary>
		76	## Read and write the generic log directory (/var/log).
		77	@@ -721,10 +724,11 @@ interface(`logging_rw_generic_log_dirs',
		78	type var_log_t;
		79	')
66		80
67	files_search_var($1)	81	files_search_var($1)
68	allow $1 var_log_t:dir rw_dir_perms;	82	allow $1 var_log_t:dir rw_dir_perms;
@@ -70,7 +84,11 @@ index 4e94884..9a6f599 100644
70	')	84	')
71		85
72	#######################################	86	#######################################
73	@@ -793,10 +797,12 @@ interface(`logging_append_all_logs',`	87	## <summary>
		88	## Search through all log dirs.
		89	@@ -832,14 +836,16 @@ interface(`logging_append_all_logs',`
		90	## <rolecap/>
		91	#
74	interface(`logging_read_all_logs',`	92	interface(`logging_read_all_logs',`
75	gen_require(`	93	gen_require(`
76	attribute logfile;	94	attribute logfile;
@@ -83,7 +101,11 @@ index 4e94884..9a6f599 100644
83	read_files_pattern($1, logfile, logfile)	101	read_files_pattern($1, logfile, logfile)
84	')	102	')
85		103
86	@@ -815,10 +821,12 @@ interface(`logging_read_all_logs',`	104	########################################
		105	## <summary>
		106	@@ -854,14 +860,16 @@ interface(`logging_read_all_logs',`
		107	# cjp: not sure why this is needed. This was added
		108	# because of logrotate.
87	interface(`logging_exec_all_logs',`	109	interface(`logging_exec_all_logs',`
88	gen_require(`	110	gen_require(`
89	attribute logfile;	111	attribute logfile;
@@ -96,7 +118,11 @@ index 4e94884..9a6f599 100644
96	can_exec($1, logfile)	118	can_exec($1, logfile)
97	')	119	')
98		120
99	@@ -880,6 +888,7 @@ interface(`logging_read_generic_logs',`	121	########################################
		122	## <summary>
		123	@@ -919,10 +927,11 @@ interface(`logging_read_generic_logs',`
		124	type var_log_t;
		125	')
100		126
101	files_search_var($1)	127	files_search_var($1)
102	allow $1 var_log_t:dir list_dir_perms;	128	allow $1 var_log_t:dir list_dir_perms;
@@ -104,7 +130,11 @@ index 4e94884..9a6f599 100644
104	read_files_pattern($1, var_log_t, var_log_t)	130	read_files_pattern($1, var_log_t, var_log_t)
105	')	131	')
106		132
107	@@ -900,6 +909,7 @@ interface(`logging_write_generic_logs',`	133	########################################
		134	## <summary>
		135	@@ -939,10 +948,11 @@ interface(`logging_write_generic_logs',`
		136	type var_log_t;
		137	')
108		138
109	files_search_var($1)	139	files_search_var($1)
110	allow $1 var_log_t:dir list_dir_perms;	140	allow $1 var_log_t:dir list_dir_perms;
@@ -112,7 +142,11 @@ index 4e94884..9a6f599 100644
112	write_files_pattern($1, var_log_t, var_log_t)	142	write_files_pattern($1, var_log_t, var_log_t)
113	')	143	')
114		144
115	@@ -938,6 +948,7 @@ interface(`logging_rw_generic_logs',`	145	########################################
		146	## <summary>
		147	@@ -977,10 +987,11 @@ interface(`logging_rw_generic_logs',`
		148	type var_log_t;
		149	')
116		150
117	files_search_var($1)	151	files_search_var($1)
118	allow $1 var_log_t:dir list_dir_perms;	152	allow $1 var_log_t:dir list_dir_perms;
@@ -120,7 +154,11 @@ index 4e94884..9a6f599 100644
120	rw_files_pattern($1, var_log_t, var_log_t)	154	rw_files_pattern($1, var_log_t, var_log_t)
121	')	155	')
122		156
123	@@ -960,6 +971,7 @@ interface(`logging_manage_generic_logs',`	157	########################################
		158	## <summary>
		159	@@ -999,10 +1010,11 @@ interface(`logging_manage_generic_logs',
		160	type var_log_t;
		161	')
124		162
125	files_search_var($1)	163	files_search_var($1)
126	manage_files_pattern($1, var_log_t, var_log_t)	164	manage_files_pattern($1, var_log_t, var_log_t)
@@ -128,11 +166,13 @@ index 4e94884..9a6f599 100644
128	')	166	')
129		167
130	########################################	168	########################################
131	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te	169	## <summary>
132	index 2ab0a49..2795d89 100644	170	## All of the rules required to administrate
133	--- a/policy/modules/system/logging.te	171	--- a/policy/modules/system/logging.te
134	+++ b/policy/modules/system/logging.te	172	+++ b/policy/modules/system/logging.te
135	@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;	173	@@ -149,10 +149,11 @@ allow auditd_t auditd_etc_t:dir list_dir
		174	allow auditd_t auditd_etc_t:file read_file_perms;
		175
136	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)	176	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
137	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)	177	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
138	allow auditd_t var_log_t:dir search_dir_perms;	178	allow auditd_t var_log_t:dir search_dir_perms;
@@ -140,6 +180,5 @@ index 2ab0a49..2795d89 100644
140		180
141	manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)	181	manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
142	manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)	182	manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
143	--	183	files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
144	1.7.9.5	184
145