blob: 90995dc3f78fcc7305929c14ef1a165d8f018b66 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
From 0385f2374297ab2b8799fe1ec28d12e1682ec074 Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Fri, 23 Aug 2013 11:20:00 +0800
Subject: [PATCH] policy/modules/system/logging: add domain rules for the
subdir symlinks in /var/
Except /var/log,/var/run,/var/lock, there still other subdir symlinks in
/var for poky, so we need allow rules for all domains to read these
symlinks. Domains still need their practical allow rules to read the
contents, so this is still a secure relax.
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/kernel/domain.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/kernel/domain.te b/policy/modules/kernel/domain.te
index 4e43a208d..7e5d2b458 100644
--- a/policy/modules/kernel/domain.te
+++ b/policy/modules/kernel/domain.te
@@ -110,6 +110,9 @@ term_use_controlling_term(domain)
# list the root directory
files_list_root(domain)
+# Yocto/oe-core use some var volatile links
+files_read_var_symlinks(domain)
+
ifdef(`hide_broken_symptoms',`
# This check is in the general socket
# listen code, before protocol-specific
--
2.17.1
|
