1 files changed, 0 insertions, 86 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch
deleted file mode 100644
index a4b387a..0000000
--- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch
+++ /dev/null
@@ -1,86 +0,0 @@
-From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001
-From: Yi Zhao <yi.zhao@windriver.com>
-Date: Tue, 14 May 2019 16:02:19 +0800
-Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink
- /dev/log
-* Set labe devlog_t to symlink /dev/log
-* Allow syslogd_t to manage devlog_t link file
-Fixes:
-avc:  denied  { unlink } for  pid=250 comm="rsyslogd" name="log"
-dev="devtmpfs" ino=10997
-scontext=system_u:system_r:syslogd_t:s15:c0.c1023
-tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0
-Upstream-Status: Inappropriate [embedded specific]
-Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
- policy/modules/system/logging.fc | 2 ++
- policy/modules/system/logging.if | 4 ++++
- policy/modules/system/logging.te | 1 +
- 3 files changed, 7 insertions(+)
-diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
-index a4ecd570a..02f0b6270 100644
--- a/policy/modules/system/logging.fc
-+++ b/policy/modules/system/logging.fc
-@@ -1,4 +1,5 @@
- /dev/log               -s      gen_context(system_u:object_r:devlog_t,mls_systemhigh)
-+/dev/log               -l      gen_context(system_u:object_r:devlog_t,s0)
- 
- /etc/rsyslog\.conf                                     --      gen_context(system_u:object_r:syslog_conf_t,s0)
- /etc/syslog\.conf                                      --      gen_context(system_u:object_r:syslog_conf_t,s0)
-@@ -24,6 +25,7 @@
- /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
- /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
-+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
- /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
- /usr/lib/systemd/systemd-kmsg-syslogd  --      gen_context(system_u:object_r:syslogd_exec_t,s0)
- 
-diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 9bb3afdb2..7233a108c 100644
--- a/policy/modules/system/logging.if
-+++ b/policy/modules/system/logging.if
-@@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',`
-        ')
- 
-        allow $1 devlog_t:sock_file write_sock_file_perms;
-+       allow $1 devlog_t:lnk_file read_lnk_file_perms;
- 
-        # systemd journal socket is in /run/systemd/journal/dev-log
-        init_search_run($1)
-@@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',`
-        ')
- 
-        allow $1 devlog_t:sock_file relabelto_sock_file_perms;
-+       allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
- ')
- 
- ########################################
-@@ -741,6 +743,8 @@ interface(`logging_create_devlog',`
- 
-        allow $1 devlog_t:sock_file manage_sock_file_perms;
-        dev_filetrans($1, devlog_t, sock_file)
-+       allow $1 devlog_t:lnk_file manage_lnk_file_perms;
-+       dev_filetrans($1, devlog_t, lnk_file)
-        init_runtime_filetrans($1, devlog_t, sock_file, "syslog")
- ')
- 
-diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 9b3254f63..d864cfd3d 100644
--- a/policy/modules/system/logging.te
-+++ b/policy/modules/system/logging.te
-@@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms;
- 
- # Create and bind to /dev/log or /var/run/log.
- allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
-+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
- files_runtime_filetrans(syslogd_t, devlog_t, sock_file)
- init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
- 
-- 
-2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch b/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch deleted file mode 100644 index a4b387a..0000000 --- a/recipes-security/refpolicy/refpolicy/0053-policy-modules-system-logging-set-label-devlog_t-to-.patch +++ /dev/null
@@ -1,86 +0,0 @@
1	From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001
2	From: Yi Zhao <yi.zhao@windriver.com>
3	Date: Tue, 14 May 2019 16:02:19 +0800
4	Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink
5	/dev/log
6
7	* Set labe devlog_t to symlink /dev/log
8	* Allow syslogd_t to manage devlog_t link file
9
10	Fixes:
11	avc: denied { unlink } for pid=250 comm="rsyslogd" name="log"
12	dev="devtmpfs" ino=10997
13	scontext=system_u:system_r:syslogd_t:s15:c0.c1023
14	tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0
15
16	Upstream-Status: Inappropriate [embedded specific]
17
18	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
19	---
20	policy/modules/system/logging.fc \| 2 ++
21	policy/modules/system/logging.if \| 4 ++++
22	policy/modules/system/logging.te \| 1 +
23	3 files changed, 7 insertions(+)
24
25	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
26	index a4ecd570a..02f0b6270 100644
27	--- a/policy/modules/system/logging.fc
28	+++ b/policy/modules/system/logging.fc
29	@@ -1,4 +1,5 @@
30	/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
31	+/dev/log -l gen_context(system_u:object_r:devlog_t,s0)
32
33	/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
34	/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
35	@@ -24,6 +25,7 @@
36	/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
37	/usr/lib/systemd/system/[^/]systemd-journal. -- gen_context(system_u:object_r:syslogd_unit_t,s0)
38	/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
39	+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
40	/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
41	/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
42
43	diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
44	index 9bb3afdb2..7233a108c 100644
45	--- a/policy/modules/system/logging.if
46	+++ b/policy/modules/system/logging.if
47	@@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',`
48	')
49
50	allow $1 devlog_t:sock_file write_sock_file_perms;
51	+ allow $1 devlog_t:lnk_file read_lnk_file_perms;
52
53	# systemd journal socket is in /run/systemd/journal/dev-log
54	init_search_run($1)
55	@@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',`
56	')
57
58	allow $1 devlog_t:sock_file relabelto_sock_file_perms;
59	+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
60	')
61
62	########################################
63	@@ -741,6 +743,8 @@ interface(`logging_create_devlog',`
64
65	allow $1 devlog_t:sock_file manage_sock_file_perms;
66	dev_filetrans($1, devlog_t, sock_file)
67	+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
68	+ dev_filetrans($1, devlog_t, lnk_file)
69	init_runtime_filetrans($1, devlog_t, sock_file, "syslog")
70	')
71
72	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
73	index 9b3254f63..d864cfd3d 100644
74	--- a/policy/modules/system/logging.te
75	+++ b/policy/modules/system/logging.te
76	@@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms;
77
78	# Create and bind to /dev/log or /var/run/log.
79	allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
80	+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
81	files_runtime_filetrans(syslogd_t, devlog_t, sock_file)
82	init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
83
84	--
85	2.17.1
86