1 files changed, 41 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
new file mode 100644
index 0000000..ae6e5cf
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -0,0 +1,41 @@
+From bd4f7608f50da4a829d9042311163922776146ca Mon Sep 17 00:00:00 2001
+From: Xin Ouyang <Xin.Ouyang@windriver.com>
+Date: Thu, 22 Aug 2013 13:37:23 +0800
+Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
+Fixes:
+avc:  denied  { read } for  pid=321 comm="auditd" name="log" dev="vda"
+ino=12552 scontext=system_u:system_r:auditd_t
+tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 45584dba6..8bc70b81d 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map;
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t auditd_log_t:dir setattr;
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+ allow auditd_t var_log_t:dir search_dir_perms;
+ 
+ manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
+@@ -306,6 +307,7 @@ optional_policy(`
+ allow audisp_remote_t self:capability { setpcap setuid };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
+ 
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+-- 
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch new file mode 100644 index 0000000..ae6e5cf --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -0,0 +1,41 @@
	1	From bd4f7608f50da4a829d9042311163922776146ca Mon Sep 17 00:00:00 2001
	2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
	3	Date: Thu, 22 Aug 2013 13:37:23 +0800
	4	Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
	5
	6	Fixes:
	7	avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda"
	8	ino=12552 scontext=system_u:system_r:auditd_t
	9	tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
	10
	11	Upstream-Status: Inappropriate [embedded specific]
	12
	13	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
	14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	15	---
	16	policy/modules/system/logging.te \| 2 ++
	17	1 file changed, 2 insertions(+)
	18
	19	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
	20	index 45584dba6..8bc70b81d 100644
	21	--- a/policy/modules/system/logging.te
	22	+++ b/policy/modules/system/logging.te
	23	@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map;
	24	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
	25	allow auditd_t auditd_log_t:dir setattr;
	26	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
	27	+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
	28	allow auditd_t var_log_t:dir search_dir_perms;
	29
	30	manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
	31	@@ -306,6 +307,7 @@ optional_policy(`
	32	allow audisp_remote_t self:capability { setpcap setuid };
	33	allow audisp_remote_t self:process { getcap setcap };
	34	allow audisp_remote_t self:tcp_socket create_socket_perms;
	35	+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
	36	allow audisp_remote_t var_log_t:dir search_dir_perms;
	37
	38	manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
	39	--
	40	2.25.1
	41