1 files changed, 74 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch
new file mode 100644
index 0000000..7291d2e
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch
@@ -0,0 +1,74 @@
+From e10a4ea43bb756bdecc30a3c14f0d2fe980405bd Mon Sep 17 00:00:00 2001
+From: Wenzong Fan <wenzong.fan@windriver.com>
+Date: Thu, 4 Feb 2016 02:10:15 -0500
+Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup
+ failures
+Fixes:
+avc:  denied  { search } for  pid=233 comm="systemd-journal" name="/"
+dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t
+tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
+avc:  denied  { nlmsg_write } for  pid=110 comm="systemd-journal"
+scontext=system_u:system_r:syslogd_t
+tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
+permissive=0
+avc:  denied  { audit_control } for  pid=109 comm="systemd-journal"
+capability=30  scontext=system_u:system_r:syslogd_t
+tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.fc | 1 +
+ policy/modules/system/logging.te | 5 ++++-
+ 2 files changed, 5 insertions(+), 1 deletion(-)
+diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
+index a4ecd570a..dee26a9f4 100644
+--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
+@@ -24,6 +24,7 @@
+ /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
+ /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+ /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
+ /usr/lib/systemd/systemd-kmsg-syslogd  --      gen_context(system_u:object_r:syslogd_exec_t,s0)
+ 
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 95309f334..1d45a5fa9 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -438,6 +438,7 @@ allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
+ allow syslogd_t syslogd_runtime_t:file map;
+ manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
+ files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
+fs_search_tmpfs(syslogd_t)
+ 
+ kernel_read_crypto_sysctls(syslogd_t)
+ kernel_read_system_state(syslogd_t)
+@@ -517,6 +518,8 @@ init_use_fds(syslogd_t)
+ # cjp: this doesnt make sense
+ logging_send_syslog_msg(syslogd_t)
+ 
+logging_set_loginuid(syslogd_t)
+
+ miscfiles_read_localization(syslogd_t)
+ 
+ seutil_read_config(syslogd_t)
+@@ -529,7 +532,7 @@ ifdef(`init_systemd',`
+        allow syslogd_t self:netlink_audit_socket connected_socket_perms;
+        allow syslogd_t self:capability2 audit_read;
+        allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
+-       allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
+       allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
+ 
+        # remove /run/log/journal when switching to permanent storage
+        allow syslogd_t var_log_t:dir rmdir;
+-- 
+2.17.1

diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch new file mode 100644 index 0000000..7291d2e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch
@@ -0,0 +1,74 @@
	1	From e10a4ea43bb756bdecc30a3c14f0d2fe980405bd Mon Sep 17 00:00:00 2001
	2	From: Wenzong Fan <wenzong.fan@windriver.com>
	3	Date: Thu, 4 Feb 2016 02:10:15 -0500
	4	Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup
	5	failures
	6
	7	Fixes:
	8	avc: denied { search } for pid=233 comm="systemd-journal" name="/"
	9	dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t
	10	tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0
	11
	12	avc: denied { nlmsg_write } for pid=110 comm="systemd-journal"
	13	scontext=system_u:system_r:syslogd_t
	14	tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket
	15	permissive=0
	16
	17	avc: denied { audit_control } for pid=109 comm="systemd-journal"
	18	capability=30 scontext=system_u:system_r:syslogd_t
	19	tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0
	20
	21	Upstream-Status: Inappropriate [embedded specific]
	22
	23	Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com>
	24	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	25	---
	26	policy/modules/system/logging.fc \| 1 +
	27	policy/modules/system/logging.te \| 5 ++++-
	28	2 files changed, 5 insertions(+), 1 deletion(-)
	29
	30	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
	31	index a4ecd570a..dee26a9f4 100644
	32	--- a/policy/modules/system/logging.fc
	33	+++ b/policy/modules/system/logging.fc
	34	@@ -24,6 +24,7 @@
	35	/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
	36	/usr/lib/systemd/system/[^/]systemd-journal. -- gen_context(system_u:object_r:syslogd_unit_t,s0)
	37	/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
	38	+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
	39	/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
	40	/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
	41
	42	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
	43	index 95309f334..1d45a5fa9 100644
	44	--- a/policy/modules/system/logging.te
	45	+++ b/policy/modules/system/logging.te
	46	@@ -438,6 +438,7 @@ allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink };
	47	allow syslogd_t syslogd_runtime_t:file map;
	48	manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
	49	files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
	50	+fs_search_tmpfs(syslogd_t)
	51
	52	kernel_read_crypto_sysctls(syslogd_t)
	53	kernel_read_system_state(syslogd_t)
	54	@@ -517,6 +518,8 @@ init_use_fds(syslogd_t)
	55	# cjp: this doesnt make sense
	56	logging_send_syslog_msg(syslogd_t)
	57
	58	+logging_set_loginuid(syslogd_t)
	59	+
	60	miscfiles_read_localization(syslogd_t)
	61
	62	seutil_read_config(syslogd_t)
	63	@@ -529,7 +532,7 @@ ifdef(`init_systemd',`
	64	allow syslogd_t self:netlink_audit_socket connected_socket_perms;
	65	allow syslogd_t self:capability2 audit_read;
	66	allow syslogd_t self:capability { chown setgid setuid sys_ptrace };
	67	- allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write };
	68	+ allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write };
	69
	70	# remove /run/log/journal when switching to permanent storage
	71	allow syslogd_t var_log_t:dir rmdir;
	72	--
	73	2.17.1
	74