blob: a49467181a51b135a09d66119b8945990aac19f8 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
|
From 07456143d9478b345dbe480e1b418b744de96751 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 11:20:00 +0800
Subject: [PATCH 20/34] policy/module/logging: add domain rules for the subdir
symlinks in /var/
Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
/var for poky, so we need allow rules for all domains to read these
symlinks. Domains still need their practical allow rules to read the
contents, so this is still a secure relax.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/kernel/domain.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 1a55e3d2..babb794f 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+# Yocto/oe-core use some var volatile links
+files_read_var_symlinks(domain)
+
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
# listen code, before protocol-specific
--
2.19.1
|
