[yocto] [meta-selinux][PATCH 2/4] refpolicy: add rules for /var/log symlink on poky

wenzong.fan at windriver.com wenzong.fan at windriver.com
Mon Mar 24 18:07:48 PDT 2014 

From: Wenzong Fan <wenzong.fan at windriver.com>

Signed-off-by: Wenzong Fan <wenzong.fan at windriver.com>
---
 ...ky-policy-add-rules-for-syslogd_t-symlink.patch |   30 ++++++++++++++++++++
 ...rules-for-var-log-symlink-audisp_remote_t.patch |   29 +++++++++++++++++++
 .../refpolicy/refpolicy_2.20130424.inc             |    2 ++
 3 files changed, 61 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
new file mode 100644
index 0000000..aa9734a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -0,0 +1,30 @@
+Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
+
+We have added rules for the symlink of /var/log in logging.if,
+while syslogd_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+syslogd_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2ad9ea5..70427d8 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+ 
++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
++
+ # manage temporary files
+ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+-- 
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
new file mode 100644
index 0000000..cbf0f7d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -0,0 +1,29 @@
+Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
+
+We have added rules for the symlink of /var/log in logging.if,
+while audisp_remote_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+audisp_remote_t.
+
+Upstream-Status: Inappropriate [only for Poky]
+
+Signed-off-by: Xin Ouyang <Xin.Ouyang at windriver.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8426a49..2ad9ea5 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+ 
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+-- 
+1.7.11.7
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index 08ed04c..c3c7732 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -37,6 +37,8 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
 SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
             file://poky-policy-add-rules-for-var-log-symlink.patch \
             file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
+            file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
+            file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
             file://poky-policy-add-rules-for-var-cache-symlink.patch \
             file://poky-policy-add-rules-for-tmp-symlink.patch \
             file://poky-policy-add-rules-for-bsdpty_device_t.patch \
-- 
1.7.9.5

More information about the yocto mailing list