diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch | 86 |
1 files changed, 0 insertions, 86 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch deleted file mode 100644 index a4b387a..0000000 --- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch +++ /dev/null | |||
@@ -1,86 +0,0 @@ | |||
1 | From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001 | ||
2 | From: Yi Zhao <yi.zhao@windriver.com> | ||
3 | Date: Tue, 14 May 2019 16:02:19 +0800 | ||
4 | Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink | ||
5 | /dev/log | ||
6 | |||
7 | * Set labe devlog_t to symlink /dev/log | ||
8 | * Allow syslogd_t to manage devlog_t link file | ||
9 | |||
10 | Fixes: | ||
11 | avc: denied { unlink } for pid=250 comm="rsyslogd" name="log" | ||
12 | dev="devtmpfs" ino=10997 | ||
13 | scontext=system_u:system_r:syslogd_t:s15:c0.c1023 | ||
14 | tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0 | ||
15 | |||
16 | Upstream-Status: Inappropriate [embedded specific] | ||
17 | |||
18 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
19 | --- | ||
20 | policy/modules/system/logging.fc | 2 ++ | ||
21 | policy/modules/system/logging.if | 4 ++++ | ||
22 | policy/modules/system/logging.te | 1 + | ||
23 | 3 files changed, 7 insertions(+) | ||
24 | |||
25 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
26 | index a4ecd570a..02f0b6270 100644 | ||
27 | --- a/policy/modules/system/logging.fc | ||
28 | +++ b/policy/modules/system/logging.fc | ||
29 | @@ -1,4 +1,5 @@ | ||
30 | /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) | ||
31 | +/dev/log -l gen_context(system_u:object_r:devlog_t,s0) | ||
32 | |||
33 | /etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
34 | /etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0) | ||
35 | @@ -24,6 +25,7 @@ | ||
36 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) | ||
37 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
38 | /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
39 | +/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
40 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
42 | |||
43 | diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if | ||
44 | index 9bb3afdb2..7233a108c 100644 | ||
45 | --- a/policy/modules/system/logging.if | ||
46 | +++ b/policy/modules/system/logging.if | ||
47 | @@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',` | ||
48 | ') | ||
49 | |||
50 | allow $1 devlog_t:sock_file write_sock_file_perms; | ||
51 | + allow $1 devlog_t:lnk_file read_lnk_file_perms; | ||
52 | |||
53 | # systemd journal socket is in /run/systemd/journal/dev-log | ||
54 | init_search_run($1) | ||
55 | @@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',` | ||
56 | ') | ||
57 | |||
58 | allow $1 devlog_t:sock_file relabelto_sock_file_perms; | ||
59 | + allow $1 devlog_t:lnk_file relabelto_lnk_file_perms; | ||
60 | ') | ||
61 | |||
62 | ######################################## | ||
63 | @@ -741,6 +743,8 @@ interface(`logging_create_devlog',` | ||
64 | |||
65 | allow $1 devlog_t:sock_file manage_sock_file_perms; | ||
66 | dev_filetrans($1, devlog_t, sock_file) | ||
67 | + allow $1 devlog_t:lnk_file manage_lnk_file_perms; | ||
68 | + dev_filetrans($1, devlog_t, lnk_file) | ||
69 | init_runtime_filetrans($1, devlog_t, sock_file, "syslog") | ||
70 | ') | ||
71 | |||
72 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
73 | index 9b3254f63..d864cfd3d 100644 | ||
74 | --- a/policy/modules/system/logging.te | ||
75 | +++ b/policy/modules/system/logging.te | ||
76 | @@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms; | ||
77 | |||
78 | # Create and bind to /dev/log or /var/run/log. | ||
79 | allow syslogd_t devlog_t:sock_file manage_sock_file_perms; | ||
80 | +allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms; | ||
81 | files_runtime_filetrans(syslogd_t, devlog_t, sock_file) | ||
82 | init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") | ||
83 | |||
84 | -- | ||
85 | 2.17.1 | ||
86 | |||