1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
From a92be78e20a0838c2f04cf8d2781dcf918f8d7ab Mon Sep 17 00:00:00 2001
From: Yi Zhao <yi.zhao@windriver.com>
Date: Tue, 14 May 2019 16:02:19 +0800
Subject: [PATCH] policy/modules/system/logging: set label devlog_t to symlink
/dev/log
* Set labe devlog_t to symlink /dev/log
* Allow syslogd_t to manage devlog_t link file
Fixes:
avc: denied { unlink } for pid=250 comm="rsyslogd" name="log"
dev="devtmpfs" ino=10997
scontext=system_u:system_r:syslogd_t:s15:c0.c1023
tcontext=system_u:object_r:device_t:s0 tclass=lnk_file permissive=0
Upstream-Status: Inappropriate [embedded specific]
Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
---
policy/modules/system/logging.fc | 2 ++
policy/modules/system/logging.if | 4 ++++
policy/modules/system/logging.te | 1 +
3 files changed, 7 insertions(+)
diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index a4ecd570a..02f0b6270 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -1,4 +1,5 @@
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
+/dev/log -l gen_context(system_u:object_r:devlog_t,s0)
/etc/rsyslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
/etc/syslog\.conf -- gen_context(system_u:object_r:syslog_conf_t,s0)
@@ -24,6 +25,7 @@
/usr/lib/systemd/system/auditd.* -- gen_context(system_u:object_r:auditd_unit_t,s0)
/usr/lib/systemd/system/[^/]*systemd-journal.* -- gen_context(system_u:object_r:syslogd_unit_t,s0)
/usr/lib/systemd/system/rsyslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
+/usr/lib/systemd/system/syslog.*\.service -- gen_context(system_u:object_r:syslogd_unit_t,s0)
/usr/lib/systemd/systemd-journald -- gen_context(system_u:object_r:syslogd_exec_t,s0)
/usr/lib/systemd/systemd-kmsg-syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 9bb3afdb2..7233a108c 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -661,6 +661,7 @@ interface(`logging_send_syslog_msg',`
')
allow $1 devlog_t:sock_file write_sock_file_perms;
+ allow $1 devlog_t:lnk_file read_lnk_file_perms;
# systemd journal socket is in /run/systemd/journal/dev-log
init_search_run($1)
@@ -722,6 +723,7 @@ interface(`logging_relabelto_devlog_sock_files',`
')
allow $1 devlog_t:sock_file relabelto_sock_file_perms;
+ allow $1 devlog_t:lnk_file relabelto_lnk_file_perms;
')
########################################
@@ -741,6 +743,8 @@ interface(`logging_create_devlog',`
allow $1 devlog_t:sock_file manage_sock_file_perms;
dev_filetrans($1, devlog_t, sock_file)
+ allow $1 devlog_t:lnk_file manage_lnk_file_perms;
+ dev_filetrans($1, devlog_t, lnk_file)
init_runtime_filetrans($1, devlog_t, sock_file, "syslog")
')
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 9b3254f63..d864cfd3d 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -398,6 +398,7 @@ allow syslogd_t syslog_conf_t:dir list_dir_perms;
# Create and bind to /dev/log or /var/run/log.
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
+allow syslogd_t devlog_t:lnk_file manage_lnk_file_perms;
files_runtime_filetrans(syslogd_t, devlog_t, sock_file)
init_runtime_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
--
2.17.1
|