From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 11:20:00 +0800
Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
 symlinks in /var/

Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
/var for poky, so we need allow rules for all domains to read these
symlinks. Domains still need their practical allow rules to read the
contents, so this is still a secure relax.

Upstream-Status: Inappropriate [only for Poky]

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
 policy/modules/kernel/domain.te | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 1a55e3d2..babb794f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
 # list the root directory
 files_list_root(domain)
 
+# Yocto/oe-core use some var volatile links
+files_read_var_symlinks(domain)
+
 ifdef(`hide_broken_symptoms',`
 	# This check is in the general socket
 	# listen code, before protocol-specific
-- 
2.19.1