diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch | 125 |
1 files changed, 125 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch new file mode 100644 index 0000000..b05f037 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch | |||
@@ -0,0 +1,125 @@ | |||
1 | From e4bdbb101fd2af2d4fd8b87794443097b58d20ff Mon Sep 17 00:00:00 2001 | ||
2 | From: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
3 | Date: Thu, 22 Aug 2013 13:37:23 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of | ||
5 | /var/log | ||
6 | |||
7 | /var/log is a symlink in poky, so we need allow rules for files to read | ||
8 | lnk_file while doing search/list/delete/rw... in /var/log/ directory. | ||
9 | |||
10 | Upstream-Status: Inappropriate [embedded specific] | ||
11 | |||
12 | Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com> | ||
13 | Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com> | ||
14 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
15 | --- | ||
16 | policy/modules/system/logging.fc | 1 + | ||
17 | policy/modules/system/logging.if | 9 +++++++++ | ||
18 | policy/modules/system/logging.te | 2 ++ | ||
19 | 3 files changed, 12 insertions(+) | ||
20 | |||
21 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
22 | index 5681acb51..a4ecd570a 100644 | ||
23 | --- a/policy/modules/system/logging.fc | ||
24 | +++ b/policy/modules/system/logging.fc | ||
25 | @@ -52,6 +52,7 @@ ifdef(`distro_suse', ` | ||
26 | /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) | ||
27 | |||
28 | /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) | ||
29 | +/var/log -l gen_context(system_u:object_r:var_log_t,s0) | ||
30 | /var/log/.* gen_context(system_u:object_r:var_log_t,s0) | ||
31 | /var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0) | ||
32 | /var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0) | ||
33 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | ||
34 | index e5f4080ac..e3cbe4f1a 100644 | ||
35 | --- a/policy/modules/system/logging.if | ||
36 | +++ b/policy/modules/system/logging.if | ||
37 | @@ -1066,10 +1066,12 @@ interface(`logging_append_all_inherited_logs',` | ||
38 | interface(`logging_read_all_logs',` | ||
39 | gen_require(` | ||
40 | attribute logfile; | ||
41 | + type var_log_t; | ||
42 | ') | ||
43 | |||
44 | files_search_var($1) | ||
45 | allow $1 logfile:dir list_dir_perms; | ||
46 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
47 | read_files_pattern($1, logfile, logfile) | ||
48 | ') | ||
49 | |||
50 | @@ -1088,10 +1090,12 @@ interface(`logging_read_all_logs',` | ||
51 | interface(`logging_exec_all_logs',` | ||
52 | gen_require(` | ||
53 | attribute logfile; | ||
54 | + type var_log_t; | ||
55 | ') | ||
56 | |||
57 | files_search_var($1) | ||
58 | allow $1 logfile:dir list_dir_perms; | ||
59 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
60 | can_exec($1, logfile) | ||
61 | ') | ||
62 | |||
63 | @@ -1153,6 +1157,7 @@ interface(`logging_manage_generic_log_dirs',` | ||
64 | |||
65 | files_search_var($1) | ||
66 | allow $1 var_log_t:dir manage_dir_perms; | ||
67 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
68 | ') | ||
69 | |||
70 | ######################################## | ||
71 | @@ -1173,6 +1178,7 @@ interface(`logging_relabel_generic_log_dirs',` | ||
72 | |||
73 | files_search_var($1) | ||
74 | allow $1 var_log_t:dir { relabelfrom relabelto }; | ||
75 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
76 | ') | ||
77 | |||
78 | ######################################## | ||
79 | @@ -1193,6 +1199,7 @@ interface(`logging_read_generic_logs',` | ||
80 | |||
81 | files_search_var($1) | ||
82 | allow $1 var_log_t:dir list_dir_perms; | ||
83 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
84 | read_files_pattern($1, var_log_t, var_log_t) | ||
85 | ') | ||
86 | |||
87 | @@ -1294,6 +1301,7 @@ interface(`logging_manage_generic_logs',` | ||
88 | |||
89 | files_search_var($1) | ||
90 | manage_files_pattern($1, var_log_t, var_log_t) | ||
91 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
92 | ') | ||
93 | |||
94 | ######################################## | ||
95 | @@ -1312,6 +1320,7 @@ interface(`logging_watch_generic_logs_dir',` | ||
96 | ') | ||
97 | |||
98 | allow $1 var_log_t:dir watch; | ||
99 | + allow $1 var_log_t:lnk_file read_lnk_file_perms; | ||
100 | ') | ||
101 | |||
102 | ######################################## | ||
103 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
104 | index 3702d441a..513d811ef 100644 | ||
105 | --- a/policy/modules/system/logging.te | ||
106 | +++ b/policy/modules/system/logging.te | ||
107 | @@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
108 | allow auditd_t auditd_log_t:dir setattr; | ||
109 | manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) | ||
110 | allow auditd_t var_log_t:dir search_dir_perms; | ||
111 | +allow auditd_t var_log_t:lnk_file read_lnk_file_perms; | ||
112 | |||
113 | manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) | ||
114 | manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) | ||
115 | @@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid }; | ||
116 | allow audisp_remote_t self:process { getcap setcap }; | ||
117 | allow audisp_remote_t self:tcp_socket create_socket_perms; | ||
118 | allow audisp_remote_t var_log_t:dir search_dir_perms; | ||
119 | +allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; | ||
120 | |||
121 | manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
122 | manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) | ||
123 | -- | ||
124 | 2.17.1 | ||
125 | |||