From: Wenzong Fan <wenzong....@windriver.com> Signed-off-by: Wenzong Fan <wenzong....@windriver.com> --- ...ky-policy-add-rules-for-syslogd_t-symlink.patch | 30 ++++++++++++++++++++ ...rules-for-var-log-symlink-audisp_remote_t.patch | 29 +++++++++++++++++++ .../refpolicy/refpolicy_2.20130424.inc | 2 ++ 3 files changed, 61 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch create mode 100644 recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch new file mode 100644 index 0000000..aa9734a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch @@ -0,0 +1,30 @@ +Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t + +We have added rules for the symlink of /var/log in logging.if, +while syslogd_t uses /var/log but does not use the +interfaces in logging.if. So still need add a individual rule for +syslogd_t. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang <xin.ouy...@windriver.com> +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 2ad9ea5..70427d8 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t) + # Allow access for syslog-ng + allow syslogd_t var_log_t:dir { create setattr }; + ++allow syslogd_t var_log_t:lnk_file read_lnk_file_perms; ++ + # manage temporary files + manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) + manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch new file mode 100644 index 0000000..cbf0f7d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch @@ -0,0 +1,29 @@ +Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t + +We have added rules for the symlink of /var/log in logging.if, +while audisp_remote_t uses /var/log but does not use the +interfaces in logging.if. So still need add a individual rule for +audisp_remote_t. + +Upstream-Status: Inappropriate [only for Poky] + +Signed-off-by: Xin Ouyang <xin.ouy...@windriver.com> +--- + policy/modules/system/logging.te | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 8426a49..2ad9ea5 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap }; + allow audisp_remote_t self:process { getcap setcap }; + allow audisp_remote_t self:tcp_socket create_socket_perms; + allow audisp_remote_t var_log_t:dir search_dir_perms; ++allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms; + + manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) + manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t) +-- +1.7.11.7 + diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index 08ed04c..c3c7732 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc @@ -37,6 +37,8 @@ SRC_URI += "file://poky-fc-subs_dist.patch \ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ file://poky-policy-add-rules-for-var-log-symlink.patch \ file://poky-policy-add-rules-for-var-log-symlink-apache.patch \ + file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \ + file://poky-policy-add-rules-for-syslogd_t-symlink.patch \ file://poky-policy-add-rules-for-var-cache-symlink.patch \ file://poky-policy-add-rules-for-tmp-symlink.patch \ file://poky-policy-add-rules-for-bsdpty_device_t.patch \ -- 1.7.9.5 -- _______________________________________________ yocto mailing list yocto@yoctoproject.org https://lists.yoctoproject.org/listinfo/yocto