refpolicy-minimum: systemd: fix for syslog

syslog & getty related allow rules required to fix the syslog mixup with boot log, while using systemd as init manager. Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com> Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
author: Shrikant Bobade <shrikant_bobade@mentor.com> 2016-08-29 19:08:57 +0530
committer: Joe MacDonald <joe_macdonald@mentor.com> 2016-09-01 14:30:47 -0400
commit: b72d0a06a88ae0549826390d12c4c70eb86a3b34 (patch)
tree: fa89cd3c29ba2b67f14e2ad158a92c85d6523e76
parent: 6a93c5045a06d7437539820ef2510493c81f5673 (diff)
download: meta-selinux-b72d0a06a88ae0549826390d12c4c70eb86a3b34.tar.gz
2 files changed, 70 insertions, 0 deletions
diff --git a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
new file mode 100644
index 0000000..b01947d
--- /dev/null
+++ b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -0,0 +1,69 @@
+From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001
+From: Shrikant Bobade <shrikant_bobade@mentor.com>
+Date: Fri, 26 Aug 2016 17:54:29 +0530
+Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
+syslog & getty related allow rules required to fix the syslog mixup with
+boot log, while using systemd as init manager.
+without this change we are getting these avc denials:
+audit: avc:  denied  { search } for  pid=484 comm="syslogd" name="/"
+dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
+audit: avc:  denied  { write } for  pid=372 comm="syslogd" name="log" dev=
+"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
+object_r:tmpfs_t:s0 tclass=dir permissive=0
+audit: avc:  denied  { add_name } for  pid=390 comm="syslogd" name=
+"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
+:tmpfs_t:s0 tclass=dir permissive=0
+audit: avc:  denied  { sendto } for  pid=558 comm="agetty" path="/run/systemd
+/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
+system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
+audit: avc:  denied  { create } for  pid=374 comm="syslogd" name="messages"
+scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
+s0 tclass=file permissive=0
+audit: avc:  denied  { append } for  pid=423 comm="syslogd" name="messages"
+dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
+system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+audit: avc:  denied  { getattr } for  pid=425 comm="syslogd" path="/var/
+volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
+syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
+Upstream-Status: Pending
+Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
+---
+ policy/modules/system/getty.te   | 1 +
+ policy/modules/system/logging.te | 3 ++-
+ 2 files changed, 3 insertions(+), 1 deletion(-)
+diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
+index 84eaf77..2e53daf 100644
+--- a/policy/modules/system/getty.te
+++ b/policy/modules/system/getty.te
+@@ -142,3 +142,4 @@ optional_policy(`
+ 
+ allow getty_t tmpfs_t:dir search;
+ allow getty_t tmpfs_t:file { open write lock };
+allow getty_t initrc_t:unix_dgram_socket sendto;
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 107db03..95de86d 100644
+--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
+@@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
+ allow syslogd_t self:shm create;
+ allow syslogd_t self:sem { create read unix_write write };
+ allow syslogd_t self:shm { read unix_read unix_write write };
+-allow syslogd_t tmpfs_t:file { read write };
+allow syslogd_t tmpfs_t:file { read write create getattr append open };
+allow syslogd_t tmpfs_t:dir { search write add_name };
+-- 
+1.9.1
diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
index 9f01492..da6626e 100644
--- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
+++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -80,4 +80,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
        file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \
        file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
        file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
+        file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
        "
author	Shrikant Bobade <shrikant_bobade@mentor.com>	2016-08-29 19:08:57 +0530
committer	Joe MacDonald <joe_macdonald@mentor.com>	2016-09-01 14:30:47 -0400
commit	b72d0a06a88ae0549826390d12c4c70eb86a3b34 (patch)
tree	fa89cd3c29ba2b67f14e2ad158a92c85d6523e76
parent	6a93c5045a06d7437539820ef2510493c81f5673 (diff)
download	meta-selinux-b72d0a06a88ae0549826390d12c4c70eb86a3b34.tar.gz

diff --git a/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch new file mode 100644 index 0000000..b01947d --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-minimum/0009-refpolicy-minimum-systemd-fix-for-syslog.patch
@@ -0,0 +1,69 @@
		1	From 9476fb0aad7caa725014e72cd009b78389ba66d5 Mon Sep 17 00:00:00 2001
		2	From: Shrikant Bobade <shrikant_bobade@mentor.com>
		3	Date: Fri, 26 Aug 2016 17:54:29 +0530
		4	Subject: [PATCH 9/9] refpolicy-minimum: systemd: fix for syslog
		5
		6	syslog & getty related allow rules required to fix the syslog mixup with
		7	boot log, while using systemd as init manager.
		8
		9	without this change we are getting these avc denials:
		10
		11	audit: avc: denied { search } for pid=484 comm="syslogd" name="/"
		12	dev="tmpfs" ino=7269 scontext=system_u:system_r:syslogd_t:s0 tcontext=
		13	system_u:object_r:tmpfs_t:s0 tclass=dir permissive=0
		14
		15	audit: avc: denied { write } for pid=372 comm="syslogd" name="log" dev=
		16	"tmpfs" ino=954 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:
		17	object_r:tmpfs_t:s0 tclass=dir permissive=0
		18
		19	audit: avc: denied { add_name } for pid=390 comm="syslogd" name=
		20	"messages" scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r
		21	:tmpfs_t:s0 tclass=dir permissive=0
		22
		23	audit: avc: denied { sendto } for pid=558 comm="agetty" path="/run/systemd
		24	/journal/dev-log" scontext=system_u:system_r:getty_t:s0 tcontext=system_u:
		25	system_r:initrc_t:s0 tclass=unix_dgram_socket permissive=0
		26
		27	audit: avc: denied { create } for pid=374 comm="syslogd" name="messages"
		28	scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:
		29	s0 tclass=file permissive=0
		30
		31	audit: avc: denied { append } for pid=423 comm="syslogd" name="messages"
		32	dev="tmpfs" ino=7995 scontext=system_u:system_r:syslogd_t:s0 tcontext=
		33	system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
		34
		35	audit: avc: denied { getattr } for pid=425 comm="syslogd" path="/var/
		36	volatile/log/messages" dev="tmpfs" ino=8857 scontext=system_u:system_r:
		37	syslogd_t:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0
		38
		39	Upstream-Status: Pending
		40
		41	Signed-off-by: Shrikant Bobade <shrikant_bobade@mentor.com>
		42	---
		43	policy/modules/system/getty.te \| 1 +
		44	policy/modules/system/logging.te \| 3 ++-
		45	2 files changed, 3 insertions(+), 1 deletion(-)
		46
		47	diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te
		48	index 84eaf77..2e53daf 100644
		49	--- a/policy/modules/system/getty.te
		50	+++ b/policy/modules/system/getty.te
		51	@@ -142,3 +142,4 @@ optional_policy(`
		52
		53	allow getty_t tmpfs_t:dir search;
		54	allow getty_t tmpfs_t:file { open write lock };
		55	+allow getty_t initrc_t:unix_dgram_socket sendto;
		56	diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
		57	index 107db03..95de86d 100644
		58	--- a/policy/modules/system/logging.te
		59	+++ b/policy/modules/system/logging.te
		60	@@ -581,4 +581,5 @@ allow klogd_t initrc_t:unix_dgram_socket sendto;
		61	allow syslogd_t self:shm create;
		62	allow syslogd_t self:sem { create read unix_write write };
		63	allow syslogd_t self:shm { read unix_read unix_write write };
		64	-allow syslogd_t tmpfs_t:file { read write };
		65	+allow syslogd_t tmpfs_t:file { read write create getattr append open };
		66	+allow syslogd_t tmpfs_t:dir { search write add_name };
		67	--
		68	1.9.1
		69


diff --git a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb index 9f01492..da6626e 100644 --- a/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb +++ b/recipes-security/refpolicy/refpolicy-minimum_2.20151208.bb
@@ -80,4 +80,5 @@ SYSTEMD_REFPOLICY_PATCHES = " \
80	file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \	80	file://0006-refpolicy-minimum-systemd-mount-enable-requiried-ref.patch \
81	file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \	81	file://0007-refpolicy-minimum-systemd-fix-for-login-journal-serv.patch \
82	file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \	82	file://0008-refpolicy-minimum-systemd-fix-for-systemd-tmp-files-.patch \
		83	file://0009-refpolicy-minimum-systemd-fix-for-syslog.patch \
83	"	84	"