From 776da889b550ac9e5be414a8cc10fd86b1923264 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Mon, 8 Apr 2019 13:50:40 -0400 Subject: refpolicy: update to 2.20190201 and git HEAD policies Additionally, the README has fallen out of date, update it to reflect the current reality of layer dependencies. Signed-off-by: Joe MacDonald --- ...le-logging-add-domain-rules-for-the-subdi.patch | 36 ++++++++++++++++++++++ 1 file changed, 36 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch (limited to 'recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch') diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch new file mode 100644 index 0000000..3d55476 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0020-policy-module-logging-add-domain-rules-for-the-subdi.patch @@ -0,0 +1,36 @@ +From 6a0b9c735253a2596bfb2a453694e620a1fdc50b Mon Sep 17 00:00:00 2001 +From: Xin Ouyang +Date: Fri, 23 Aug 2013 11:20:00 +0800 +Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir + symlinks in /var/ + +Except /var/log,/var/run,/var/lock, there still other subdir symlinks in +/var for poky, so we need allow rules for all domains to read these +symlinks. Domains still need their practical allow rules to read the +contents, so this is still a secure relax. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang +Signed-off-by: Joe MacDonald +--- + policy/modules/kernel/domain.te | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te +index 1a55e3d2..babb794f 100644 +--- a/policy/modules/kernel/domain.te ++++ b/policy/modules/kernel/domain.te +@@ -110,6 +110,9 @@ term_use_controlling_term(domain) + # list the root directory + files_list_root(domain) + ++# Yocto/oe-core use some var volatile links ++files_read_var_symlinks(domain) ++ + ifdef(`hide_broken_symptoms',` + # This check is in the general socket + # listen code, before protocol-specific +-- +2.19.1 + -- cgit v1.2.3-54-g00ecf