refpolicy-minimum: locallogin: add allow rules for type local_login_t

add allow rules for locallogin module avc denials. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Shrikant Bobade <shrikant_bobade@mentor.com> 2016-08-29 19:07:00 +0530
committer: Joe MacDonald <joe_macdonald@mentor.com> 2016-09-01 14:30:47 -0400
commit: 95922a23cb3c44d7ba2c7b40c7d812de244ece4a (patch)
tree: 79ac93357ea27cdfa2ceee1947be07cbeebf3175
parent: 2b022c1f4bd2369f7b66b764b2d16c7f19680e93 (diff)
download: meta-selinux-95922a23cb3c44d7ba2c7b40c7d812de244ece4a.tar.gz
2 files changed, 54 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
new file mode 100644
index 0000000..3623215
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -0,0 +1,53 @@
+From 0e99f9e7c6d69d5f784fe7352c9507791d8cbef9 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:53:46 +0530
+Subject: [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type
+ local_login_t
+add allow rules for locallogin module avc denials.
+without this change we are getting errors like these:
+type=AVC msg=audit(): avc:  denied  { read write open } for  pid=353
+comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
+=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
+var_log_t:s0 tclass=file permissive=1
+type=AVC msg=audit(): avc:  denied  { sendto } for  pid=353 comm="login"
+path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
+local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
+tclass=unix_dgram_socket permissive=1
+type=AVC msg=audit(): avc:  denied  { lock } for  pid=353 comm="login" path=
+"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
+:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
+=file permissive=1
+Upstream-Status: Pending
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/system/locallogin.te | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
+index 53923f8..09ec33f 100644
+--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
+@@ -274,3 +274,13 @@ optional_policy(`
+ optional_policy(`
+        nscd_use(sulogin_t)
+ ')
+
+allow local_login_t initrc_t:fd use;
+allow local_login_t initrc_t:unix_dgram_socket sendto;
+allow local_login_t initrc_t:unix_stream_socket connectto;
+allow local_login_t self:capability net_admin;
+allow local_login_t var_log_t:file { create lock open read write };
+allow local_login_t var_run_t:file { open read write lock};
+allow local_login_t var_run_t:sock_file write;
+allow local_login_t tmpfs_t:dir { add_name write search};
+allow local_login_t tmpfs_t:file { create open read write lock };
+-- 
+1.9.1
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index f4b80bc..d1ea37d 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -75,4 +75,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
        file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
        file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
        file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
+        file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
        "
author	Shrikant Bobade <shrikant_bobade@mentor.com>	2016-08-29 19:07:00 +0530
committer	Joe MacDonald <joe_macdonald@mentor.com>	2016-09-01 14:30:47 -0400
commit	95922a23cb3c44d7ba2c7b40c7d812de244ece4a (patch)
tree	79ac93357ea27cdfa2ceee1947be07cbeebf3175
parent	2b022c1f4bd2369f7b66b764b2d16c7f19680e93 (diff)
download	meta-selinux-95922a23cb3c44d7ba2c7b40c7d812de244ece4a.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch new file mode 100644 index 0000000..3623215 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch
@@ -0,0 +1,53 @@
		1	From 0e99f9e7c6d69d5f784fe7352c9507791d8cbef9 Mon Sep 17 00:00:00 2001
		2	From: Shrikant Bobade <shrikant_bobade@mentor.com>
		3	Date: Fri, 26 Aug 2016 17:53:46 +0530
		4	Subject: [PATCH 4/9] refpolicy-minimum: locallogin: add allow rules for type
		5	local_login_t
		6
		7	add allow rules for locallogin module avc denials.
		8
		9	without this change we are getting errors like these:
		10
		11	type=AVC msg=audit(): avc: denied { read write open } for pid=353
		12	comm="login" path="/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext
		13	=system_u:system_r:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:
		14	var_log_t:s0 tclass=file permissive=1
		15
		16	type=AVC msg=audit(): avc: denied { sendto } for pid=353 comm="login"
		17	path="/run/systemd/journal/dev-log" scontext=system_u:system_r:
		18	local_login_t:s0-s0:c0.c1023 tcontext=system_u:system_r:initrc_t:s0
		19	tclass=unix_dgram_socket permissive=1
		20
		21	type=AVC msg=audit(): avc: denied { lock } for pid=353 comm="login" path=
		22	"/var/volatile/log/lastlog" dev="tmpfs" ino=12281 scontext=system_u:system_r
		23	:local_login_t:s0-s0:c0.c1023 tcontext=system_u:object_r:var_log_t:s0 tclass
		24	=file permissive=1
		25
		26	Upstream-Status: Pending
		27
		28	Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
		29	---
		30	policy/modules/system/locallogin.te \| 10 ++++++++++
		31	1 file changed, 10 insertions(+)
		32
		33	diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
		34	index 53923f8..09ec33f 100644
		35	--- a/policy/modules/system/locallogin.te
		36	+++ b/policy/modules/system/locallogin.te
		37	@@ -274,3 +274,13 @@ optional_policy(`
		38	optional_policy(`
		39	nscd_use(sulogin_t)
		40	')
		41	+
		42	+allow local_login_t initrc_t:fd use;
		43	+allow local_login_t initrc_t:unix_dgram_socket sendto;
		44	+allow local_login_t initrc_t:unix_stream_socket connectto;
		45	+allow local_login_t self:capability net_admin;
		46	+allow local_login_t var_log_t:file { create lock open read write };
		47	+allow local_login_t var_run_t:file { open read write lock};
		48	+allow local_login_t var_run_t:sock_file write;
		49	+allow local_login_t tmpfs_t:dir { add_name write search};
		50	+allow local_login_t tmpfs_t:file { create open read write lock };
		51	--
		52	1.9.1
		53


diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index f4b80bc..d1ea37d 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -75,4 +75,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
75	file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \	75	file://0001-refpolicy-minimum-systemd-unconfined-lib-add-systemd.patch \
76	file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \	76	file://0002-refpolicy-minimum-audit-logging-getty-audit-related-.patch \
77	file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \	77	file://0003-refpolicy-minimum-systemd-mount-logging-authlogin-ad.patch \
		78	file://0004-refpolicy-minimum-locallogin-add-allow-rules-for-typ.patch \
78	"	79	"