diff options
Diffstat (limited to 'recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch')
-rw-r--r-- | recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch | 74 |
1 files changed, 74 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch new file mode 100644 index 0000000..7291d2e --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0055-policy-modules-system-logging-fix-systemd-journald-s.patch | |||
@@ -0,0 +1,74 @@ | |||
1 | From e10a4ea43bb756bdecc30a3c14f0d2fe980405bd Mon Sep 17 00:00:00 2001 | ||
2 | From: Wenzong Fan <wenzong.fan@windriver.com> | ||
3 | Date: Thu, 4 Feb 2016 02:10:15 -0500 | ||
4 | Subject: [PATCH] policy/modules/system/logging: fix systemd-journald startup | ||
5 | failures | ||
6 | |||
7 | Fixes: | ||
8 | avc: denied { search } for pid=233 comm="systemd-journal" name="/" | ||
9 | dev="tmpfs" ino=12398 scontext=system_u:system_r:syslogd_t | ||
10 | tcontext=system_u:object_r:tmpfs_t tclass=dir permissive=0 | ||
11 | |||
12 | avc: denied { nlmsg_write } for pid=110 comm="systemd-journal" | ||
13 | scontext=system_u:system_r:syslogd_t | ||
14 | tcontext=system_u:system_r:syslogd_t tclass=netlink_audit_socket | ||
15 | permissive=0 | ||
16 | |||
17 | avc: denied { audit_control } for pid=109 comm="systemd-journal" | ||
18 | capability=30 scontext=system_u:system_r:syslogd_t | ||
19 | tcontext=system_u:system_r:syslogd_t tclass=capability permissive=0 | ||
20 | |||
21 | Upstream-Status: Inappropriate [embedded specific] | ||
22 | |||
23 | Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> | ||
24 | Signed-off-by: Yi Zhao <yi.zhao@windriver.com> | ||
25 | --- | ||
26 | policy/modules/system/logging.fc | 1 + | ||
27 | policy/modules/system/logging.te | 5 ++++- | ||
28 | 2 files changed, 5 insertions(+), 1 deletion(-) | ||
29 | |||
30 | diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc | ||
31 | index a4ecd570a..dee26a9f4 100644 | ||
32 | --- a/policy/modules/system/logging.fc | ||
33 | +++ b/policy/modules/system/logging.fc | ||
34 | @@ -24,6 +24,7 @@ | ||
35 | /usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0) | ||
36 | /usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
37 | /usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
38 | +/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0) | ||
39 | /usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
40 | /usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) | ||
41 | |||
42 | diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te | ||
43 | index 95309f334..1d45a5fa9 100644 | ||
44 | --- a/policy/modules/system/logging.te | ||
45 | +++ b/policy/modules/system/logging.te | ||
46 | @@ -438,6 +438,7 @@ allow syslogd_t syslogd_runtime_t:sock_file { create setattr unlink }; | ||
47 | allow syslogd_t syslogd_runtime_t:file map; | ||
48 | manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t) | ||
49 | files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file) | ||
50 | +fs_search_tmpfs(syslogd_t) | ||
51 | |||
52 | kernel_read_crypto_sysctls(syslogd_t) | ||
53 | kernel_read_system_state(syslogd_t) | ||
54 | @@ -517,6 +518,8 @@ init_use_fds(syslogd_t) | ||
55 | # cjp: this doesnt make sense | ||
56 | logging_send_syslog_msg(syslogd_t) | ||
57 | |||
58 | +logging_set_loginuid(syslogd_t) | ||
59 | + | ||
60 | miscfiles_read_localization(syslogd_t) | ||
61 | |||
62 | seutil_read_config(syslogd_t) | ||
63 | @@ -529,7 +532,7 @@ ifdef(`init_systemd',` | ||
64 | allow syslogd_t self:netlink_audit_socket connected_socket_perms; | ||
65 | allow syslogd_t self:capability2 audit_read; | ||
66 | allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; | ||
67 | - allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write }; | ||
68 | + allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; | ||
69 | |||
70 | # remove /run/log/journal when switching to permanent storage | ||
71 | allow syslogd_t var_log_t:dir rmdir; | ||
72 | -- | ||
73 | 2.17.1 | ||
74 | |||