refpolicy: policy fixes for seutils and auditd_log_t

Two patches to fix these two issue: * Current policy has incomplete allow rules for selinux utils to manage selinux config files and policy store. * auditd_log_t(/var/log/audit/audit.log) is also placed in var_log_t, so add related rules. CQID: WIND00396415 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
author: Xin Ouyang <Xin.Ouyang@windriver.com> 2013-01-21 19:26:12 +0800
committer: Xin Ouyang <Xin.Ouyang@windriver.com> 2013-01-23 11:10:17 +0800
commit: a1d632a26f2d599ad6092746a60d0ccb80711aaa (patch)
tree: 9f401255bda2bc7a4abd9419f05a1946d88be612
parent: b0f4055b7029bf5181f699c16c52fb88b50f51ec (diff)
download: meta-selinux-a1d632a26f2d599ad6092746a60d0ccb80711aaa.tar.gz
3 files changed, 104 insertions, 12 deletions
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
index 5bf4986..a2f3c5d 100644
--- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
@@ -8,8 +8,8 @@ Upstream-Status: Inappropriate [only for Poky]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 ---
 policy/modules/system/logging.fc |    1 +
- policy/modules/system/logging.if |    7 +++++++
+ policy/modules/system/logging.if |   14 +++++++++++++-
- 2 files changed, 8 insertions(+), 0 deletions(-)
+ 2 files changed, 14 insertions(+), 1 deletion(-)
 diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
 index 3cb65f1..2419cd7 100644
@@ -24,10 +24,25 @@ index 3cb65f1..2419cd7 100644
 /var/log/boot\.log     --      gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*         gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
-index 321bb13..2be355e 100644
+index 321bb13..4812d46 100644
 --- a/policy/modules/system/logging.if
 +++ b/policy/modules/system/logging.if
-@@ -626,6 +626,7 @@ interface(`logging_search_logs',`
+@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
+ #
+ interface(`logging_read_audit_log',`
+        gen_require(`
+-               type auditd_log_t;
+               type auditd_log_t, var_log_t;
+        ')
+ 
+        files_search_var($1)
+        read_files_pattern($1, auditd_log_t, auditd_log_t)
+        allow $1 auditd_log_t:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+ ')
+ 
+ ########################################
+@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
 
        files_search_var($1)
        allow $1 var_log_t:dir search_dir_perms;
@@ -35,7 +50,7 @@ index 321bb13..2be355e 100644
 ')
 
 #######################################
-@@ -663,6 +664,7 @@ interface(`logging_list_logs',`
+@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
 
        files_search_var($1)
        allow $1 var_log_t:dir list_dir_perms;
@@ -43,7 +58,7 @@ index 321bb13..2be355e 100644
 ')
 
 #######################################
-@@ -682,6 +684,7 @@ interface(`logging_rw_generic_log_dirs',`
+@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
 
        files_search_var($1)
        allow $1 var_log_t:dir rw_dir_perms;
@@ -51,7 +66,33 @@ index 321bb13..2be355e 100644
 ')
 
 #######################################
-@@ -843,6 +846,7 @@ interface(`logging_read_generic_logs',`
+@@ -756,10 +760,12 @@ interface(`logging_append_all_logs',`
+ interface(`logging_read_all_logs',`
+        gen_require(`
+                attribute logfile;
+               type var_log_t;
+        ')
+ 
+        files_search_var($1)
+        allow $1 logfile:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        read_files_pattern($1, logfile, logfile)
+ ')
+ 
+@@ -778,10 +784,12 @@ interface(`logging_read_all_logs',`
+ interface(`logging_exec_all_logs',`
+        gen_require(`
+                attribute logfile;
+               type var_log_t;
+        ')
+ 
+        files_search_var($1)
+        allow $1 logfile:dir list_dir_perms;
+       allow $1 var_log_t:lnk_file read_lnk_file_perms;
+        can_exec($1, logfile)
+ ')
+ 
+@@ -843,6 +851,7 @@ interface(`logging_read_generic_logs',`
 
        files_search_var($1)
        allow $1 var_log_t:dir list_dir_perms;
@@ -59,7 +100,7 @@ index 321bb13..2be355e 100644
        read_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -863,6 +867,7 @@ interface(`logging_write_generic_logs',`
+@@ -863,6 +872,7 @@ interface(`logging_write_generic_logs',`
 
        files_search_var($1)
        allow $1 var_log_t:dir list_dir_perms;
@@ -67,7 +108,7 @@ index 321bb13..2be355e 100644
        write_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -901,6 +906,7 @@ interface(`logging_rw_generic_logs',`
+@@ -901,6 +911,7 @@ interface(`logging_rw_generic_logs',`
 
        files_search_var($1)
        allow $1 var_log_t:dir list_dir_perms;
@@ -75,7 +116,7 @@ index 321bb13..2be355e 100644
        rw_files_pattern($1, var_log_t, var_log_t)
 ')
 
-@@ -923,6 +929,7 @@ interface(`logging_manage_generic_logs',`
+@@ -923,6 +934,7 @@ interface(`logging_manage_generic_logs',`
 
        files_search_var($1)
        manage_files_pattern($1, var_log_t, var_log_t)
@@ -83,6 +124,17 @@ index 321bb13..2be355e 100644
 ')
 
 ########################################
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index a3a25c2..a45c68e 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
+ manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
+ allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
+ 
+ manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
+ manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 -- 
-1.7.5.4
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch
new file mode 100644
index 0000000..bd76004
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch
@@ -0,0 +1,39 @@
+Subject: [PATCH] refpolicy: fix selinux utils to manage config files
+Upstream-Status: Pending
+Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
+---
+ policy/modules/system/selinuxutil.if |    1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
+index 3822072..db03ca1 100644
+--- a/policy/modules/system/selinuxutil.if
+++ b/policy/modules/system/selinuxutil.if
+@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
+        ')
+ 
+        files_search_etc($1)
+       manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
+        manage_files_pattern($1, selinux_config_t, selinux_config_t)
+        read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
+ ')
+diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
+index e720dcd..6b6a5b3 100644
+--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
+@@ -1235,6 +1235,10 @@ template(`userdom_security_admin_template',`
+        logging_read_audit_config($1)
+ 
+        seutil_manage_bin_policy($1)
+       seutil_manage_default_contexts($1)
+       seutil_manage_file_contexts($1)
+       seutil_manage_module_store($1)
+       seutil_manage_config($1)
+        seutil_run_checkpolicy($1, $2)
+        seutil_run_loadpolicy($1, $2)
+        seutil_run_semanage($1, $2)
+-- 
+1.7.9.5
diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc
index ec8b5bf..20f4795 100644
--- a/recipes-security/refpolicy/refpolicy_2.20120725.inc
+++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@@ -31,6 +31,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
 # Other policy fixes 
 SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
+            file://poky-policy-fix-seutils-manage-config-files.patch \
            file://poky-policy-fix-nfsd_t.patch \
           "
author	Xin Ouyang <Xin.Ouyang@windriver.com>	2013-01-21 19:26:12 +0800
committer	Xin Ouyang <Xin.Ouyang@windriver.com>	2013-01-23 11:10:17 +0800
commit	a1d632a26f2d599ad6092746a60d0ccb80711aaa (patch)
tree	9f401255bda2bc7a4abd9419f05a1946d88be612
parent	b0f4055b7029bf5181f699c16c52fb88b50f51ec (diff)
download	meta-selinux-a1d632a26f2d599ad6092746a60d0ccb80711aaa.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch index 5bf4986..a2f3c5d 100644 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch
@@ -8,8 +8,8 @@ Upstream-Status: Inappropriate [only for Poky]
8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	8	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
9	---	9	---
10	policy/modules/system/logging.fc \| 1 +	10	policy/modules/system/logging.fc \| 1 +
11	policy/modules/system/logging.if \| 7 +++++++	11	policy/modules/system/logging.if \| 14 +++++++++++++-
12	2 files changed, 8 insertions(+), 0 deletions(-)	12	2 files changed, 14 insertions(+), 1 deletion(-)
13		13
14	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc	14	diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
15	index 3cb65f1..2419cd7 100644	15	index 3cb65f1..2419cd7 100644
@@ -24,10 +24,25 @@ index 3cb65f1..2419cd7 100644
24	/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)	24	/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
25	/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)	25	/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
26	diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if	26	diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
27	index 321bb13..2be355e 100644	27	index 321bb13..4812d46 100644
28	--- a/policy/modules/system/logging.if	28	--- a/policy/modules/system/logging.if
29	+++ b/policy/modules/system/logging.if	29	+++ b/policy/modules/system/logging.if
30	@@ -626,6 +626,7 @@ interface(`logging_search_logs',`	30	@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
		31	#
		32	interface(`logging_read_audit_log',`
		33	gen_require(`
		34	- type auditd_log_t;
		35	+ type auditd_log_t, var_log_t;
		36	')
		37
		38	files_search_var($1)
		39	read_files_pattern($1, auditd_log_t, auditd_log_t)
		40	allow $1 auditd_log_t:dir list_dir_perms;
		41	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
		42	')
		43
		44	########################################
		45	@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
31		46
32	files_search_var($1)	47	files_search_var($1)
33	allow $1 var_log_t:dir search_dir_perms;	48	allow $1 var_log_t:dir search_dir_perms;
@@ -35,7 +50,7 @@ index 321bb13..2be355e 100644
35	')	50	')
36		51
37	#######################################	52	#######################################
38	@@ -663,6 +664,7 @@ interface(`logging_list_logs',`	53	@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
39		54
40	files_search_var($1)	55	files_search_var($1)
41	allow $1 var_log_t:dir list_dir_perms;	56	allow $1 var_log_t:dir list_dir_perms;
@@ -43,7 +58,7 @@ index 321bb13..2be355e 100644
43	')	58	')
44		59
45	#######################################	60	#######################################
46	@@ -682,6 +684,7 @@ interface(`logging_rw_generic_log_dirs',`	61	@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
47		62
48	files_search_var($1)	63	files_search_var($1)
49	allow $1 var_log_t:dir rw_dir_perms;	64	allow $1 var_log_t:dir rw_dir_perms;
@@ -51,7 +66,33 @@ index 321bb13..2be355e 100644
51	')	66	')
52		67
53	#######################################	68	#######################################
54	@@ -843,6 +846,7 @@ interface(`logging_read_generic_logs',`	69	@@ -756,10 +760,12 @@ interface(`logging_append_all_logs',`
		70	interface(`logging_read_all_logs',`
		71	gen_require(`
		72	attribute logfile;
		73	+ type var_log_t;
		74	')
		75
		76	files_search_var($1)
		77	allow $1 logfile:dir list_dir_perms;
		78	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
		79	read_files_pattern($1, logfile, logfile)
		80	')
		81
		82	@@ -778,10 +784,12 @@ interface(`logging_read_all_logs',`
		83	interface(`logging_exec_all_logs',`
		84	gen_require(`
		85	attribute logfile;
		86	+ type var_log_t;
		87	')
		88
		89	files_search_var($1)
		90	allow $1 logfile:dir list_dir_perms;
		91	+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
		92	can_exec($1, logfile)
		93	')
		94
		95	@@ -843,6 +851,7 @@ interface(`logging_read_generic_logs',`
55		96
56	files_search_var($1)	97	files_search_var($1)
57	allow $1 var_log_t:dir list_dir_perms;	98	allow $1 var_log_t:dir list_dir_perms;
@@ -59,7 +100,7 @@ index 321bb13..2be355e 100644
59	read_files_pattern($1, var_log_t, var_log_t)	100	read_files_pattern($1, var_log_t, var_log_t)
60	')	101	')
61		102
62	@@ -863,6 +867,7 @@ interface(`logging_write_generic_logs',`	103	@@ -863,6 +872,7 @@ interface(`logging_write_generic_logs',`
63		104
64	files_search_var($1)	105	files_search_var($1)
65	allow $1 var_log_t:dir list_dir_perms;	106	allow $1 var_log_t:dir list_dir_perms;
@@ -67,7 +108,7 @@ index 321bb13..2be355e 100644
67	write_files_pattern($1, var_log_t, var_log_t)	108	write_files_pattern($1, var_log_t, var_log_t)
68	')	109	')
69		110
70	@@ -901,6 +906,7 @@ interface(`logging_rw_generic_logs',`	111	@@ -901,6 +911,7 @@ interface(`logging_rw_generic_logs',`
71		112
72	files_search_var($1)	113	files_search_var($1)
73	allow $1 var_log_t:dir list_dir_perms;	114	allow $1 var_log_t:dir list_dir_perms;
@@ -75,7 +116,7 @@ index 321bb13..2be355e 100644
75	rw_files_pattern($1, var_log_t, var_log_t)	116	rw_files_pattern($1, var_log_t, var_log_t)
76	')	117	')
77		118
78	@@ -923,6 +929,7 @@ interface(`logging_manage_generic_logs',`	119	@@ -923,6 +934,7 @@ interface(`logging_manage_generic_logs',`
79		120
80	files_search_var($1)	121	files_search_var($1)
81	manage_files_pattern($1, var_log_t, var_log_t)	122	manage_files_pattern($1, var_log_t, var_log_t)
@@ -83,6 +124,17 @@ index 321bb13..2be355e 100644
83	')	124	')
84		125
85	########################################	126	########################################
		127	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
		128	index a3a25c2..a45c68e 100644
		129	--- a/policy/modules/system/logging.te
		130	+++ b/policy/modules/system/logging.te
		131	@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
		132	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
		133	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
		134	allow auditd_t var_log_t:dir search_dir_perms;
		135	+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
		136
		137	manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
		138	manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
86	--	139	--
87	1.7.5.4	140	1.7.9.5
88


diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch new file mode 100644 index 0000000..bd76004 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch
@@ -0,0 +1,39 @@
		1	Subject: [PATCH] refpolicy: fix selinux utils to manage config files
		2
		3	Upstream-Status: Pending
		4
		5	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
		6	---
		7	policy/modules/system/selinuxutil.if \| 1 +
		8	1 file changed, 1 insertion(+)
		9
		10	diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if
		11	index 3822072..db03ca1 100644
		12	--- a/policy/modules/system/selinuxutil.if
		13	+++ b/policy/modules/system/selinuxutil.if
		14	@@ -680,6 +680,7 @@ interface(`seutil_manage_config',`
		15	')
		16
		17	files_search_etc($1)
		18	+ manage_dirs_pattern($1, selinux_config_t, selinux_config_t)
		19	manage_files_pattern($1, selinux_config_t, selinux_config_t)
		20	read_lnk_files_pattern($1, selinux_config_t, selinux_config_t)
		21	')
		22	diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
		23	index e720dcd..6b6a5b3 100644
		24	--- a/policy/modules/system/userdomain.if
		25	+++ b/policy/modules/system/userdomain.if
		26	@@ -1235,6 +1235,10 @@ template(`userdom_security_admin_template',`
		27	logging_read_audit_config($1)
		28
		29	seutil_manage_bin_policy($1)
		30	+ seutil_manage_default_contexts($1)
		31	+ seutil_manage_file_contexts($1)
		32	+ seutil_manage_module_store($1)
		33	+ seutil_manage_config($1)
		34	seutil_run_checkpolicy($1, $2)
		35	seutil_run_loadpolicy($1, $2)
		36	seutil_run_semanage($1, $2)
		37	--
		38	1.7.9.5
		39


diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc index ec8b5bf..20f4795 100644 --- a/recipes-security/refpolicy/refpolicy_2.20120725.inc +++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc
@@ -31,6 +31,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \
31		31
32	# Other policy fixes	32	# Other policy fixes
33	SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \	33	SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \
		34	file://poky-policy-fix-seutils-manage-config-files.patch \
34	file://poky-policy-fix-nfsd_t.patch \	35	file://poky-policy-fix-nfsd_t.patch \
35	"	36	"
36		37