refpolicy: add rules for /var/log symlink on poky

Signed-off-by: Wenzong Fan <wenzong.fan@windriver.com> Signed-off-by: Joe MacDonald <joe@deserted.net>
author: Wenzong Fan <wenzong.fan@windriver.com> 2014-04-03 14:05:48 -0400
committer: Joe MacDonald <joe@deserted.net> 2014-04-03 14:46:09 -0400
commit: f562f0630e4966d6a0eef6f2c3060730da2ce8d6 (patch)
tree: d87b75c5018cf811091c7775f0f3254194449dd7
parent: e8fa933234dfae2df9bb1246850f082b0f1e0fe3 (diff)
download: meta-selinux-f562f0630e4966d6a0eef6f2c3060730da2ce8d6.tar.gz
3 files changed, 61 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
new file mode 100644
index 0000000..aa9734a
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -0,0 +1,30 @@
+Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
+We have added rules for the symlink of /var/log in logging.if,
+while syslogd_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+syslogd_t.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 2ad9ea5..70427d8 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
+ # Allow access for syslog-ng
+ allow syslogd_t var_log_t:dir { create setattr };
+ 
+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
+
+ # manage temporary files
+ manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
new file mode 100644
index 0000000..cbf0f7d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -0,0 +1,29 @@
+Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
+We have added rules for the symlink of /var/log in logging.if,
+while audisp_remote_t uses /var/log but does not use the
+interfaces in logging.if. So still need add a individual rule for
+audisp_remote_t.
+Upstream-Status: Inappropriate [only for Poky]
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/logging.te | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 8426a49..2ad9ea5 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
+ allow audisp_remote_t self:process { getcap setcap };
+ allow audisp_remote_t self:tcp_socket create_socket_perms;
+ allow audisp_remote_t var_log_t:dir search_dir_perms;
+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
+ 
+ manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+ manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
+-- 
+1.7.11.7
diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc
index a5f142f..dcce3ba 100644
--- a/recipes-security/refpolicy/refpolicy_2.20130424.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -37,6 +37,8 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
 SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
            file://poky-policy-add-rules-for-var-log-symlink.patch \
            file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
+            file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
+            file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
            file://poky-policy-add-rules-for-var-cache-symlink.patch \
            file://poky-policy-add-rules-for-tmp-symlink.patch \
            file://poky-policy-add-rules-for-bsdpty_device_t.patch \
author	Wenzong Fan <wenzong.fan@windriver.com>	2014-04-03 14:05:48 -0400
committer	Joe MacDonald <joe@deserted.net>	2014-04-03 14:46:09 -0400
commit	f562f0630e4966d6a0eef6f2c3060730da2ce8d6 (patch)
tree	d87b75c5018cf811091c7775f0f3254194449dd7
parent	e8fa933234dfae2df9bb1246850f082b0f1e0fe3 (diff)
download	meta-selinux-f562f0630e4966d6a0eef6f2c3060730da2ce8d6.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch new file mode 100644 index 0000000..aa9734a --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-syslogd_t-symlink.patch
@@ -0,0 +1,30 @@
		1	Subject: [PATCH] add rules for the symlink of /var/log - syslogd_t
		2
		3	We have added rules for the symlink of /var/log in logging.if,
		4	while syslogd_t uses /var/log but does not use the
		5	interfaces in logging.if. So still need add a individual rule for
		6	syslogd_t.
		7
		8	Upstream-Status: Inappropriate [only for Poky]
		9
		10	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		11	---
		12	policy/modules/system/logging.te \| 2 ++
		13	1 file changed, 2 insertions(+)
		14
		15	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
		16	index 2ad9ea5..70427d8 100644
		17	--- a/policy/modules/system/logging.te
		18	+++ b/policy/modules/system/logging.te
		19	@@ -384,6 +384,8 @@ rw_fifo_files_pattern(syslogd_t, var_log_t, var_log_t)
		20	# Allow access for syslog-ng
		21	allow syslogd_t var_log_t:dir { create setattr };
		22
		23	+allow syslogd_t var_log_t:lnk_file read_lnk_file_perms;
		24	+
		25	# manage temporary files
		26	manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
		27	manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
		28	--
		29	1.7.11.7
		30


diff --git a/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch new file mode 100644 index 0000000..cbf0f7d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20130424/poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch
@@ -0,0 +1,29 @@
		1	Subject: [PATCH] add rules for the symlink of /var/log - audisp_remote_t
		2
		3	We have added rules for the symlink of /var/log in logging.if,
		4	while audisp_remote_t uses /var/log but does not use the
		5	interfaces in logging.if. So still need add a individual rule for
		6	audisp_remote_t.
		7
		8	Upstream-Status: Inappropriate [only for Poky]
		9
		10	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		11	---
		12	policy/modules/system/logging.te \| 1 +
		13	1 file changed, 1 insertion(+)
		14
		15	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
		16	index 8426a49..2ad9ea5 100644
		17	--- a/policy/modules/system/logging.te
		18	+++ b/policy/modules/system/logging.te
		19	@@ -262,6 +262,7 @@ allow audisp_remote_t self:capability { setuid setpcap };
		20	allow audisp_remote_t self:process { getcap setcap };
		21	allow audisp_remote_t self:tcp_socket create_socket_perms;
		22	allow audisp_remote_t var_log_t:dir search_dir_perms;
		23	+allow audisp_remote_t var_log_t:lnk_file read_lnk_file_perms;
		24
		25	manage_dirs_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
		26	manage_files_pattern(audisp_remote_t, audit_spool_t, audit_spool_t)
		27	--
		28	1.7.11.7
		29


diff --git a/recipes-security/refpolicy/refpolicy_2.20130424.inc b/recipes-security/refpolicy/refpolicy_2.20130424.inc index a5f142f..dcce3ba 100644 --- a/recipes-security/refpolicy/refpolicy_2.20130424.inc +++ b/recipes-security/refpolicy/refpolicy_2.20130424.inc
@@ -37,6 +37,8 @@ SRC_URI += "file://poky-fc-subs_dist.patch \
37	SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \	37	SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
38	file://poky-policy-add-rules-for-var-log-symlink.patch \	38	file://poky-policy-add-rules-for-var-log-symlink.patch \
39	file://poky-policy-add-rules-for-var-log-symlink-apache.patch \	39	file://poky-policy-add-rules-for-var-log-symlink-apache.patch \
		40	file://poky-policy-add-rules-for-var-log-symlink-audisp_remote_t.patch \
		41	file://poky-policy-add-rules-for-syslogd_t-symlink.patch \
40	file://poky-policy-add-rules-for-var-cache-symlink.patch \	42	file://poky-policy-add-rules-for-var-cache-symlink.patch \
41	file://poky-policy-add-rules-for-tmp-symlink.patch \	43	file://poky-policy-add-rules-for-tmp-symlink.patch \
42	file://poky-policy-add-rules-for-bsdpty_device_t.patch \	44	file://poky-policy-add-rules-for-bsdpty_device_t.patch \