1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
From 03cb6534f75812f3a33ac768fe83861e0805b0e0 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH 2/6] add rules for the symlink of /var/log
/var/log is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw.. in /var/log/ directory.
Upstream-Status: Inappropriate [only for Poky]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
---
policy/modules/system/logging.fc | 1 +
policy/modules/system/logging.if | 14 +++++++++++++-
policy/modules/system/logging.te | 1 +
3 files changed, 15 insertions(+), 1 deletion(-)
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -39,10 +39,11 @@ ifdef(`distro_suse', `
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log -l gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
## </param>
## <rolecap/>
#
interface(`logging_read_audit_log',`
gen_require(`
- type auditd_log_t;
+ type auditd_log_t, var_log_t;
')
files_search_var($1)
read_files_pattern($1, auditd_log_t, auditd_log_t)
allow $1 auditd_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## Execute auditctl in the auditctl domain.
@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_
## <rolecap/>
#
interface(`logging_read_all_logs',`
gen_require(`
attribute logfile;
+ type var_log_t;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, logfile, logfile)
')
########################################
## <summary>
@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',`
# cjp: not sure why this is needed. This was added
# because of logrotate.
interface(`logging_exec_all_logs',`
gen_require(`
attribute logfile;
+ type var_log_t;
')
files_search_var($1)
allow $1 logfile:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
can_exec($1, logfile)
')
########################################
## <summary>
@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',`
type var_log_t;
')
files_search_var($1)
allow $1 var_log_t:dir list_dir_perms;
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
read_files_pattern($1, var_log_t, var_log_t)
')
########################################
## <summary>
@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs',
type var_log_t;
')
files_search_var($1)
manage_files_pattern($1, var_log_t, var_log_t)
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
')
########################################
## <summary>
## All of the rules required to administrate
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
|