1 files changed, 48 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch
new file mode 100644
index 0000000..d07fa91
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch
@@ -0,0 +1,48 @@
+From 2476910f6d7f116148bb9311498b5c98692c1ef3 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Sat, 18 Dec 2021 17:31:45 +0800
+Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS
+ trusted.
+Make syslogd_runtime_t MLS trusted to allow all levels to read and write
+the object.
+Fixes:
+avc:  denied  { search } for  pid=314 comm="useradd" name="journal"
+dev="tmpfs" ino=34 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+avc:  denied  { search } for  pid=319 comm="passwd" name="journal"
+dev="tmpfs" ino=34 scontext=root:sysadm_r:passwd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
+permissive=0
+avc:  denied  { search } for pid=374 comm="rpc.statd" name="journal"
+dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
+tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
+permissive=0
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 25e1d1397..ba0fd10e0 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -456,6 +456,8 @@ allow syslogd_t syslogd_runtime_t:file map;
+ manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
+ files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
+ 
+mls_trusted_object(syslogd_runtime_t)
+
+ kernel_read_system_state(syslogd_t)
+ kernel_read_network_state(syslogd_t)
+ kernel_read_kernel_sysctls(syslogd_t)
+-- 
+2.25.1

diff --git a/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch new file mode 100644 index 0000000..d07fa91 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0056-policy-modules-system-logging-make-syslogd_runtime_t.patch
@@ -0,0 +1,48 @@
	1	From 2476910f6d7f116148bb9311498b5c98692c1ef3 Mon Sep 17 00:00:00 2001
	2	From: Yi Zhao <yi.zhao@windriver.com>
	3	Date: Sat, 18 Dec 2021 17:31:45 +0800
	4	Subject: [PATCH] policy/modules/system/logging: make syslogd_runtime_t MLS
	5	trusted.
	6
	7	Make syslogd_runtime_t MLS trusted to allow all levels to read and write
	8	the object.
	9
	10	Fixes:
	11	avc: denied { search } for pid=314 comm="useradd" name="journal"
	12	dev="tmpfs" ino=34 scontext=root:sysadm_r:useradd_t:s0-s15:c0.c1023
	13	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
	14	permissive=0
	15
	16	avc: denied { search } for pid=319 comm="passwd" name="journal"
	17	dev="tmpfs" ino=34 scontext=root:sysadm_r:passwd_t:s0-s15:c0.c1023
	18	tcontext=system_u:object_r:syslogd_runtime_t:s15:c0.c1023 tclass=dir
	19	permissive=0
	20
	21	avc: denied { search } for pid=374 comm="rpc.statd" name="journal"
	22	dev="tmpfs" ino=9854 scontext=system_u:system_r:rpcd_t:s0-s15:c0.c1023
	23	tcontext=system_u:object_r:syslogd_var_run_t:s15:c0.c1023 tclass=dir
	24	permissive=0
	25
	26	Upstream-Status: Inappropriate [embedded specific]
	27
	28	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
	29	---
	30	policy/modules/system/logging.te \| 2 ++
	31	1 file changed, 2 insertions(+)
	32
	33	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
	34	index 25e1d1397..ba0fd10e0 100644
	35	--- a/policy/modules/system/logging.te
	36	+++ b/policy/modules/system/logging.te
	37	@@ -456,6 +456,8 @@ allow syslogd_t syslogd_runtime_t:file map;
	38	manage_files_pattern(syslogd_t, syslogd_runtime_t, syslogd_runtime_t)
	39	files_runtime_filetrans(syslogd_t, syslogd_runtime_t, file)
	40
	41	+mls_trusted_object(syslogd_runtime_t)
	42	+
	43	kernel_read_system_state(syslogd_t)
	44	kernel_read_network_state(syslogd_t)
	45	kernel_read_kernel_sysctls(syslogd_t)
	46	--
	47	2.25.1
	48