[yocto] [meta-selinux][RFC 2/8] audit: logging: getty: audit related allow rules

Shrikant Bobade bobadeshrikant at gmail.com
Fri Jul 29 02:09:47 PDT 2016 

From: Shrikant Bobade <shrikant_bobade at mentor.com>

add allow rules for audit.log file & resolve dependent avc denials.

Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
---
 ...t-logging-getty-audit-related-allow-rules.patch | 66 ++++++++++++++++++++++
 .../refpolicy/refpolicy_2.20151208.inc             |  1 +
 2 files changed, 67 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch
new file mode 100644
index 0000000..e0c0132
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/0002-audit-logging-getty-audit-related-allow-rules.patch
@@ -0,0 +1,66 @@
+From 674a1c03a08bae583e1a50acd48489dd2d4f3f33 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade at mentor.com>
+Date: Mon, 25 Jul 2016 17:44:13 +0530
+Subject: [PATCH 2/6] audit: logging: getty: audit related allow rules
+
+add allow rules for audit.log file & resolve dependent avc denials.
+
+without this change we are getting audit avc denials mixed into bootlog &
+audit other avc denials.
+
+audit: type=1400 audit(): avc:  denied  { getattr } for  pid=217 comm="mount"
+name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0
+audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=sy0
+audit: type=1400 audit(): avc:  denied  { sendto } for  pid=310 comm="klogd"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0
+audit(): avc:  denied  { open } for  pid=540 comm="agetty" path="/var/
+volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t
+:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
+---
+ policy/modules/system/getty.te   | 3 +++
+ policy/modules/system/logging.te | 8 ++++++++
+ 2 files changed, 11 insertions(+)
+
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index f6743ea..84eaf77 100644
+--- a/policy/modules/system/getty.te
++++ b/policy/modules/system/getty.te
+@@ -139,3 +139,6 @@ optional_policy(`
+ optional_policy(`
+ 	udev_read_db(getty_t)
+ ')
++
++allow getty_t tmpfs_t:dir search;
++allow getty_t tmpfs_t:file { open write lock };
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 9b18aad..fdf86ef 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -238,6 +238,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms;
+ allow audisp_t self:unix_dgram_socket create_socket_perms;
+ 
+ allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
++allow audisp_t initrc_t:unix_dgram_socket sendto;
+ 
+ manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
+ files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
+@@ -569,3 +570,10 @@ optional_policy(`
+ 	# log to the xconsole
+ 	xserver_rw_console(syslogd_t)
+ ')
++
++
++allow auditd_t tmpfs_t:file { getattr setattr create open read append };
++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search };
++allow auditd_t initrc_t:unix_dgram_socket sendto;
++
++allow klogd_t initrc_t:unix_dgram_socket sendto;
+\ No newline at end of file
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index 861bfdc..4d07e62 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -63,6 +63,7 @@ SRC_URI += "${@bb.utils.contains('DISTRO_FEATURES', 'systemd', ' ${SYSTEMD_REFPO
 
 SYSTEMD_REFPOLICY_PATCHES = "\
 	file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \
+	file://0002-audit-logging-getty-audit-related-allow-rules.patch \
 "
 
 
-- 
1.9.1

More information about the yocto mailing list