1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
From 25036d5f5c41e4215d071d9c1eb77760a0eca87c Mon Sep 17 00:00:00 2001
From: Xin Ouyang <Xin.Ouyang@windriver.com>
Date: Thu, 22 Aug 2013 13:37:23 +0800
Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
Fixes:
avc: denied { getattr } for pid=322 comm="auditd"
path="/sbin/audisp-remote" dev="vda" ino=1115
scontext=system_u:system_r:auditd_t
tcontext=system_u:object_r:audisp_remote_exec_t tclass=file permissive=0
avc: denied { read } for pid=321 comm="auditd" name="log" dev="vda"
ino=12552 scontext=system_u:system_r:auditd_t
tcontext=system_u:object_r:var_log_t tclass=lnk_file permissive=0
avc: denied { getattr } for pid=183 comm="auditctl" name="/"
dev="proc" ino=1 scontext=system_u:system_r:auditctl_t
tcontext=system_u:object_r:proc_t tclass=filesystem permissive=0
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/system/logging.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 673046781..9b3254f63 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -117,6 +117,7 @@ files_read_etc_files(auditctl_t)
kernel_read_kernel_sysctls(auditctl_t)
kernel_read_proc_symlinks(auditctl_t)
kernel_setsched(auditctl_t)
+kernel_getattr_proc(auditctl_t)
domain_read_all_domains_state(auditctl_t)
domain_use_interactive_fds(auditctl_t)
@@ -157,10 +158,13 @@ allow auditd_t auditd_etc_t:dir list_dir_perms;
allow auditd_t auditd_etc_t:file read_file_perms;
dontaudit auditd_t auditd_etc_t:file map;
+allow auditd_t audisp_remote_exec_t:file getattr;
+
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t auditd_log_t:dir setattr;
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
manage_sock_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
@@ -284,6 +288,7 @@ allow audisp_remote_t self:capability { setpcap setuid };
allow audisp_remote_t self:process { getcap setcap };
allow audisp_remote_t self:tcp_socket create_socket_perms;
allow audisp_remote_t var_log_t:dir search_dir_perms;
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
--
2.17.1
|
