[yocto] [meta-selinux][RFC 4/8] locallogin: add allow rules for type local_login_t

Shrikant Bobade bobadeshrikant at gmail.com
Fri Jul 29 02:10:22 PDT 2016 

From: Shrikant Bobade <shrikant_bobade at mentor.com>

add allow rules for locallogin module avc denials.

Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
---
 ...in-add-allow-rules-for-type-local_login_t.patch | 52 ++++++++++++++++++++++
 .../refpolicy/refpolicy_2.20151208.inc             |  1 +
 2 files changed, 53 insertions(+)
 create mode 100644 recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch

diff --git a/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch b/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch
new file mode 100644
index 0000000..fd3d477
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20151208/0004-locallogin-add-allow-rules-for-type-local_login_t.patch
@@ -0,0 +1,52 @@
+From 545ebd866283ae929cfec716d067cd34015ad142 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade at mentor.com>
+Date: Mon, 25 Jul 2016 18:26:18 +0530
+Subject: [PATCH 4/6] locallogin: add allow rules for type local_login_t
+
+add allow rules for locallogin module avc denials.
+
+without this change we are getting errors like these:
+
+type=AVC msg=audit(): avc:  denied  { read write open } for  pid=353
+comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
+=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
+var_log_t:s0 tclass=file permissive=1
+
+type=AVC msg=audit(): avc:  denied  { sendto } for  pid=353 comm="login"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
+tclass=unix_dgram_socket permissive=1
+
+type=AVC msg=audit(): avc:  denied  { lock } for  pid=353 comm="login" path=
+"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
+:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
+=file permissive=1
+
+upstream-status: pending
+
+Signed-off-by: Shrikant Bobade <shrikant_bobade at mentor.com>
+---
+ policy/modules/system/locallogin.te | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 53923f8..09ec33f 100644
+--- a/policy/modules/system/locallogin.te
++++ b/policy/modules/system/locallogin.te
+@@ -274,3 +274,13 @@ optional_policy(`
+ optional_policy(`
+ 	nscd_use(sulogin_t)
+ ')
++
++allow local_login_t initrc_t:fd use;
++allow local_login_t initrc_t:unix_dgram_socket sendto;
++allow local_login_t initrc_t:unix_stream_socket connectto;
++allow local_login_t self:capability net_admin;
++allow local_login_t var_log_t:file { create lock open read write };
++allow local_login_t var_run_t:file { open read write lock};
++allow local_login_t var_run_t:sock_file write;
++allow local_login_t tmpfs_t:dir { add_name write search};
++allow local_login_t tmpfs_t:file { create open read write lock };
+-- 
+1.9.1
+
diff --git a/recipes-security/refpolicy/refpolicy_2.20151208.inc b/recipes-security/refpolicy/refpolicy_2.20151208.inc
index c051aec..151c973 100644
--- a/recipes-security/refpolicy/refpolicy_2.20151208.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20151208.inc
@@ -65,6 +65,7 @@ SYSTEMD_REFPOLICY_PATCHES = "\
 	file://0001-systemd-unconfined-lib-add-systemd-services-allow-ru.patch \
 	file://0002-audit-logging-getty-audit-related-allow-rules.patch \
 	file://0003-systemd-mount-logging-authlogin-add-allow-rules.patch \
+	file://0004-locallogin-add-allow-rules-for-type-local_login_t.patch \
 "
 
 
-- 
1.9.1

More information about the yocto mailing list