1 files changed, 125 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch
new file mode 100644
index 0000000..b05f037
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch
@@ -0,0 +1,125 @@
+From e4bdbb101fd2af2d4fd8b87794443097b58d20ff Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
+ /var/log
+/var/log is a symlink in poky, so we need allow rules for files to read
+lnk_file while doing search/list/delete/rw... in /var/log/ directory.
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.if | 9 +++++++++
+ policy/modules/system/logging.te | 2 ++
+ 3 files changed, 12 insertions(+)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index 5681acb51..a4ecd570a 100644
+--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
+@@ -52,6 +52,7 @@ ifdef(`distro_suse', `
+ /var/dnscache/log/main(/.*)?   gen_context(system_u:object_r:var_log_t,s0)
+ 
+ /var/log               -d      gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log               -l      gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/.*                    gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/dmesg         --      gen_context(system_u:object_r:var_log_t,s0)
+ /var/log/syslog                --      gen_context(system_u:object_r:var_log_t,s0)
+diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
+index e5f4080ac..e3cbe4f1a 100644
+--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
+@@ -1066,10 +1066,12 @@ interface(`logging_append_all_inherited_logs',`
+ interface(`logging_read_all_logs',`
+        gen_require(`
+                attribute logfile;
+               type var_log_t;
+        ')
+ 
+        files_search_var($1)
+        allow $1 logfile:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        read_files_pattern($1, logfile, logfile)
+ ')
+ 
+@@ -1088,10 +1090,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+        gen_require(`
+                attribute logfile;
+               type var_log_t;
+        ')
+ 
+        files_search_var($1)
+        allow $1 logfile:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        can_exec($1, logfile)
+ ')
+ 
+@@ -1153,6 +1157,7 @@ interface(`logging_manage_generic_log_dirs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir manage_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -1173,6 +1178,7 @@ interface(`logging_relabel_generic_log_dirs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir { relabelfrom relabelto };
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -1193,6 +1199,7 @@ interface(`logging_read_generic_logs',`
+ 
+        files_search_var($1)
+        allow $1 var_log_t:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        read_files_pattern($1, var_log_t, var_log_t)
+ ')
+ 
+@@ -1294,6 +1301,7 @@ interface(`logging_manage_generic_logs',`
+ 
+        files_search_var($1)
+        manage_files_pattern($1, var_log_t, var_log_t)
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -1312,6 +1320,7 @@ interface(`logging_watch_generic_logs_dir',`
+        ')
+ 
+        allow $1 var_log_t:dir watch;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 3702d441a..513d811ef 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+ 
+ manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
+ manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
+@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+ 
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch new file mode 100644 index 0000000..b05f037 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-add-rules-for-the-syml.patch
@@ -0,0 +1,125 @@
	1	From e4bdbb101fd2af2d4fd8b87794443097b58d20ff Mon Sep 17 00:00:00 2001
	2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
	3	Date: Thu, 22 Aug 2013 13:37:23 +0800
	4	Subject: [PATCH] policy/modules/system/logging: add rules for the symlink of
	5	/var/log
	6
	7	/var/log is a symlink in poky, so we need allow rules for files to read
	8	lnk_file while doing search/list/delete/rw... in /var/log/ directory.
	9
	10	Upstream-Status: Inappropriate [embedded specific]
	11
	12	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	13	Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
	14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	15	---
	16	policy/modules/system/logging.fc \| 1 +
	17	policy/modules/system/logging.if \| 9 +++++++++
	18	policy/modules/system/logging.te \| 2 ++
	19	3 files changed, 12 insertions(+)
	20
	21	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
	22	index 5681acb51..a4ecd570a 100644
	23	--- a/policy/modules/system/logging.fc
	24	+++ b/policy/modules/system/logging.fc
	25	@@ -52,6 +52,7 @@ ifdef(`distro_suse', `
	26	/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
	27
	28	/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
	29	+/var/log -l gen_context(system_u:object_r:var_log_t,s0)
	30	/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
	31	/var/log/dmesg -- gen_context(system_u:object_r:var_log_t,s0)
	32	/var/log/syslog -- gen_context(system_u:object_r:var_log_t,s0)
	33	diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
	34	index e5f4080ac..e3cbe4f1a 100644
	35	--- a/policy/modules/system/logging.if
	36	+++ b/policy/modules/system/logging.if
	37	@@ -1066,10 +1066,12 @@ interface(`logging_append_all_inherited_logs',`
	38	interface(`logging_read_all_logs',`
	39	gen_require(`
	40	attribute logfile;
	41	+ type var_log_t;
	42	')
	43
	44	files_search_var($1)
	45	allow $1 logfile:dir list_dir_perms;
	46	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
	47	read_files_pattern($1, logfile, logfile)
	48	')
	49
	50	@@ -1088,10 +1090,12 @@ interface(`logging_read_all_logs',`
	51	interface(`logging_exec_all_logs',`
	52	gen_require(`
	53	attribute logfile;
	54	+ type var_log_t;
	55	')
	56
	57	files_search_var($1)
	58	allow $1 logfile:dir list_dir_perms;
	59	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
	60	can_exec($1, logfile)
	61	')
	62
	63	@@ -1153,6 +1157,7 @@ interface(`logging_manage_generic_log_dirs',`
	64
	65	files_search_var($1)
	66	allow $1 var_log_t:dir manage_dir_perms;
	67	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
	68	')
	69
	70	########################################
	71	@@ -1173,6 +1178,7 @@ interface(`logging_relabel_generic_log_dirs',`
	72
	73	files_search_var($1)
	74	allow $1 var_log_t:dir { relabelfrom relabelto };
	75	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
	76	')
	77
	78	########################################
	79	@@ -1193,6 +1199,7 @@ interface(`logging_read_generic_logs',`
	80
	81	files_search_var($1)
	82	allow $1 var_log_t:dir list_dir_perms;
	83	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
	84	read_files_pattern($1, var_log_t, var_log_t)
	85	')
	86
	87	@@ -1294,6 +1301,7 @@ interface(`logging_manage_generic_logs',`
	88
	89	files_search_var($1)
	90	manage_files_pattern($1, var_log_t, var_log_t)
	91	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
	92	')
	93
	94	########################################
	95	@@ -1312,6 +1320,7 @@ interface(`logging_watch_generic_logs_dir',`
	96	')
	97
	98	allow $1 var_log_t:dir watch;
	99	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
	100	')
	101
	102	########################################
	103	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
	104	index 3702d441a..513d811ef 100644
	105	--- a/policy/modules/system/logging.te
	106	+++ b/policy/modules/system/logging.te
	107	@@ -161,6 +161,7 @@ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
	108	allow auditd_t auditd_log_t:dir setattr;
	109	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
	110	allow auditd_t var_log_t:dir search_dir_perms;
	111	+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
	112
	113	manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
	114	manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
	115	@@ -288,6 +289,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
	116	allow audisp_remote_t self:process { getcap setcap };
	117	allow audisp_remote_t self:tcp_socket create_socket_perms;
	118	allow audisp_remote_t var_log_t:dir search_dir_perms;
	119	+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
	120
	121	manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
	122	manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
	123	--
	124	2.17.1
	125