1 files changed, 43 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch
new file mode 100644
index 0000000..05a0887
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch
@@ -0,0 +1,43 @@
+From 1f7fb5de202cb30c45b4051b0bce6e9b1aa53ea8 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sat, 30 Sep 2023 17:20:29 +0800
+Subject: [PATCH] policy/modules/system/logging: allow systemd-tmpfiles to
+ create /var/log/audit
+Fixes:
+systemd[1]: Starting Security Auditing Service...
+auditd[246]: Could not open dir /var/log/audit (No such file or directory)
+auditd[246]: The audit daemon is exiting.
+systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED
+systemd[1]: auditd.service: Failed with result 'exit-code'.
+systemd[1]: Failed to start Security Auditing Service.
+AVC avc:  denied  { create } for  pid=224 comm="systemd-tmpfile"
+name="audit" scontext=system_u:system_r:systemd_tmpfiles_t
+tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 4 ++++
+ 1 file changed, 4 insertions(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8bc70b81d..3cab14381 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -27,6 +27,10 @@ type auditd_log_t;
+ files_security_file(auditd_log_t)
+ files_security_mountpoint(auditd_log_t)
+ 
+optional_policy(`
+       systemd_tmpfilesd_managed(auditd_log_t)
+')
+
+ type audit_spool_t;
+ files_security_file(audit_spool_t)
+ files_security_mountpoint(audit_spool_t)
+-- 
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch new file mode 100644 index 0000000..05a0887 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0035-policy-modules-system-logging-allow-systemd-tmpfiles.patch
@@ -0,0 +1,43 @@
	1	From 1f7fb5de202cb30c45b4051b0bce6e9b1aa53ea8 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Sat, 30 Sep 2023 17:20:29 +0800
	4	Subject: [PATCH] policy/modules/system/logging: allow systemd-tmpfiles to
	5	create /var/log/audit
	6
	7	Fixes:
	8	systemd[1]: Starting Security Auditing Service...
	9	auditd[246]: Could not open dir /var/log/audit (No such file or directory)
	10	auditd[246]: The audit daemon is exiting.
	11	systemd[1]: auditd.service: Control process exited, code=exited, status=6/NOTCONFIGURED
	12	systemd[1]: auditd.service: Failed with result 'exit-code'.
	13	systemd[1]: Failed to start Security Auditing Service.
	14
	15	AVC avc: denied { create } for pid=224 comm="systemd-tmpfile"
	16	name="audit" scontext=system_u:system_r:systemd_tmpfiles_t
	17	tcontext=system_u:object_r:auditd_log_t tclass=dir permissive=0
	18
	19	Upstream-Status: Inappropriate [embedded specific]
	20
	21	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	22	---
	23	policy/modules/system/logging.te \| 4 ++++
	24	1 file changed, 4 insertions(+)
	25
	26	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
	27	index 8bc70b81d..3cab14381 100644
	28	--- a/policy/modules/system/logging.te
	29	+++ b/policy/modules/system/logging.te
	30	@@ -27,6 +27,10 @@ type auditd_log_t;
	31	files_security_file(auditd_log_t)
	32	files_security_mountpoint(auditd_log_t)
	33
	34	+optional_policy(`
	35	+ systemd_tmpfilesd_managed(auditd_log_t)
	36	+')
	37	+
	38	type audit_spool_t;
	39	files_security_file(audit_spool_t)
	40	files_security_mountpoint(audit_spool_t)
	41	--
	42	2.25.1
	43