refpolicy: fixes for auditctl and rsyslog

* Allow auditctl to read symlink of var/log directory. * Grant getpcap capability to syslogd_t. Signed-off-by: Yi Zhao <yi.zhao@windriver.com> Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>
author: Yi Zhao <yi.zhao@windriver.com> 2024-06-06 14:14:34 +0800
committer: Joe MacDonald <joe.macdonald@siemens.com> 2024-07-23 12:51:05 -0400
commit: 0dbf1bdc02cdcb38b5a57fad351adeff8d12b66d (patch)
tree: 4c2cfdec87e9d377c09aade037986e9b96736a2b
parent: 37ede3a5fec01e97e481101b2b8664666c4923c7 (diff)
download: meta-selinux-0dbf1bdc02cdcb38b5a57fad351adeff8d12b66d.tar.gz
3 files changed, 53 insertions, 6 deletions
diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
index e9e717b..6ad2475 100644
--- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
+++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -1,4 +1,4 @@
-From d7dfe01114f9a1449ce2efd792ddf4b18fe91a45 Mon Sep 17 00:00:00 2001
+From 5b33f07f60b20eb6e07ea3f517c43a539ee21332 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Thu, 22 Aug 2013 13:37:23 +0800
 Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
@@ -13,14 +13,22 @@ Upstream-Status: Inappropriate [embedded specific]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/system/logging.te | 2 ++
+ policy/modules/system/logging.te | 3 +++
- 1 file changed, 2 insertions(+)
+ 1 file changed, 3 insertions(+)
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 45584dba6..8bc70b81d 100644
+index 45584dba6..4fb2fb63c 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map;
+@@ -117,6 +117,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+ 
+ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+ allow auditctl_t auditd_etc_t:dir list_dir_perms;
+allow auditctl_t var_log_t:lnk_file read_lnk_file_perms;
+ dontaudit auditctl_t auditd_etc_t:file map;
+ 
+ corecmd_search_bin(auditctl_t)
+@@ -177,6 +178,7 @@ dontaudit auditd_t auditd_etc_t:file map;
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t auditd_log_t:dir setattr;
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
@@ -28,7 +36,7 @@ index 45584dba6..8bc70b81d 100644
 allow auditd_t var_log_t:dir search_dir_perms;
 
 manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
-@@ -306,6 +307,7 @@ optional_policy(`
+@@ -306,6 +308,7 @@ optional_policy(`
 allow audisp_remote_t self:capability { setpcap setuid };
 allow audisp_remote_t self:process { getcap setcap };
 allow audisp_remote_t self:tcp_socket create_socket_perms;
diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch
new file mode 100644
index 0000000..5c2e789
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch
@@ -0,0 +1,38 @@
+From f48edb588d799a7aab9110e4f67468d8e5e41c10 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 28 May 2024 11:21:48 +0800
+Subject: [PATCH] policy/modules/system/logging: grant getpcap capability to
+ syslogd_t
+The rsyslog is configured with --enable-libpcap which requires getpcap
+capability.
+Fixes:
+avc: denied { setpcap } for pid=317 comm="rsyslogd" capability=8
+scontext=system_u:system_r:syslogd_t:s15:c0.c1023
+tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 tclass=capability
+permissive=1
+Upstream-Status: Inappropriate [embedded specific]
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 511604493..9c0a58aef 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -404,6 +404,8 @@ optional_policy(`
+ # sys_admin for the integrated klog of syslog-ng and metalog
+ # sys_nice for rsyslog
+ allow syslogd_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+# Rsyslog configures with --enable-libcap-ng
+allow syslogd_t self:capability setpcap;
+ dontaudit syslogd_t self:capability { sys_ptrace };
+ dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
+ # setpgid for metalog
+-- 
+2.25.1
diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc
index 000fb3c..05dca2c 100644
--- a/recipes-security/refpolicy/refpolicy_common.inc
+++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -72,6 +72,7 @@ SRC_URI += " \
        file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
        file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
        file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+        file://0057-policy-modules-system-logging-grant-getpcap-capabili.patch \
        "
 S = "${WORKDIR}/refpolicy"
author	Yi Zhao <yi.zhao@windriver.com>	2024-06-06 14:14:34 +0800
committer	Joe MacDonald <joe.macdonald@siemens.com>	2024-07-23 12:51:05 -0400
commit	0dbf1bdc02cdcb38b5a57fad351adeff8d12b66d (patch)
tree	4c2cfdec87e9d377c09aade037986e9b96736a2b
parent	37ede3a5fec01e97e481101b2b8664666c4923c7 (diff)
download	meta-selinux-0dbf1bdc02cdcb38b5a57fad351adeff8d12b66d.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch index e9e717b..6ad2475 100644 --- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch
@@ -1,4 +1,4 @@
1	From d7dfe01114f9a1449ce2efd792ddf4b18fe91a45 Mon Sep 17 00:00:00 2001	1	From 5b33f07f60b20eb6e07ea3f517c43a539ee21332 Mon Sep 17 00:00:00 2001
2	From: Xin Ouyang <Xin.Ouyang@windriver.com>	2	From: Xin Ouyang <Xin.Ouyang@windriver.com>
3	Date: Thu, 22 Aug 2013 13:37:23 +0800	3	Date: Thu, 22 Aug 2013 13:37:23 +0800
4	Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures	4	Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
@@ -13,14 +13,22 @@ Upstream-Status: Inappropriate [embedded specific]
13	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>	13	Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>	14	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
15	---	15	---
16	policy/modules/system/logging.te \| 2 ++	16	policy/modules/system/logging.te \| 3 +++
17	1 file changed, 2 insertions(+)	17	1 file changed, 3 insertions(+)
18		18
19	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te	19	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
20	index 45584dba6..8bc70b81d 100644	20	index 45584dba6..4fb2fb63c 100644
21	--- a/policy/modules/system/logging.te	21	--- a/policy/modules/system/logging.te
22	+++ b/policy/modules/system/logging.te	22	+++ b/policy/modules/system/logging.te
23	@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map;	23	@@ -117,6 +117,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
		24
		25	read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
		26	allow auditctl_t auditd_etc_t:dir list_dir_perms;
		27	+allow auditctl_t var_log_t:lnk_file read_lnk_file_perms;
		28	dontaudit auditctl_t auditd_etc_t:file map;
		29
		30	corecmd_search_bin(auditctl_t)
		31	@@ -177,6 +178,7 @@ dontaudit auditd_t auditd_etc_t:file map;
24	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)	32	manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
25	allow auditd_t auditd_log_t:dir setattr;	33	allow auditd_t auditd_log_t:dir setattr;
26	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)	34	manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
@@ -28,7 +36,7 @@ index 45584dba6..8bc70b81d 100644
28	allow auditd_t var_log_t:dir search_dir_perms;	36	allow auditd_t var_log_t:dir search_dir_perms;
29		37
30	manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)	38	manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
31	@@ -306,6 +307,7 @@ optional_policy(`	39	@@ -306,6 +308,7 @@ optional_policy(`
32	allow audisp_remote_t self:capability { setpcap setuid };	40	allow audisp_remote_t self:capability { setpcap setuid };
33	allow audisp_remote_t self:process { getcap setcap };	41	allow audisp_remote_t self:process { getcap setcap };
34	allow audisp_remote_t self:tcp_socket create_socket_perms;	42	allow audisp_remote_t self:tcp_socket create_socket_perms;


diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch new file mode 100644 index 0000000..5c2e789 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch
@@ -0,0 +1,38 @@
		1	From f48edb588d799a7aab9110e4f67468d8e5e41c10 Mon Sep 17 00:00:00 2001
		2	From: Yi Zhao <yi.zhao@windriver.com>
		3	Date: Tue, 28 May 2024 11:21:48 +0800
		4	Subject: [PATCH] policy/modules/system/logging: grant getpcap capability to
		5	syslogd_t
		6
		7	The rsyslog is configured with --enable-libpcap which requires getpcap
		8	capability.
		9
		10	Fixes:
		11	avc: denied { setpcap } for pid=317 comm="rsyslogd" capability=8
		12	scontext=system_u:system_r:syslogd_t:s15:c0.c1023
		13	tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 tclass=capability
		14	permissive=1
		15
		16	Upstream-Status: Inappropriate [embedded specific]
		17
		18	Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
		19	---
		20	policy/modules/system/logging.te \| 2 ++
		21	1 file changed, 2 insertions(+)
		22
		23	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
		24	index 511604493..9c0a58aef 100644
		25	--- a/policy/modules/system/logging.te
		26	+++ b/policy/modules/system/logging.te
		27	@@ -404,6 +404,8 @@ optional_policy(`
		28	# sys_admin for the integrated klog of syslog-ng and metalog
		29	# sys_nice for rsyslog
		30	allow syslogd_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
		31	+# Rsyslog configures with --enable-libcap-ng
		32	+allow syslogd_t self:capability setpcap;
		33	dontaudit syslogd_t self:capability { sys_ptrace };
		34	dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
		35	# setpgid for metalog
		36	--
		37	2.25.1
		38


diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 000fb3c..05dca2c 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc
@@ -72,6 +72,7 @@ SRC_URI += " \
72	file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \	72	file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
73	file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \	73	file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
74	file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \	74	file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
		75	file://0057-policy-modules-system-logging-grant-getpcap-capabili.patch \
75	"	76	"
76		77
77	S = "${WORKDIR}/refpolicy"	78	S = "${WORKDIR}/refpolicy"