From 8bd72dfb5aafe68b82e10d204d3f824a3b5de7af Mon Sep 17 00:00:00 2001 From: Mark Hatle Date: Wed, 13 Sep 2017 19:42:42 -0500 Subject: refpolicy-git: Update to lastest git version Signed-off-by: Mark Hatle --- .../poky-fc-update-alternatives_sysklogd.patch | 37 ++++------- ...poky-policy-add-rules-for-var-log-symlink.patch | 73 ++++++---------------- recipes-security/refpolicy/refpolicy_git.inc | 2 + 3 files changed, 33 insertions(+), 79 deletions(-) diff --git a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch index 77f7fad..737c0a2 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-fc-update-alternatives_sysklogd.patch @@ -15,26 +15,19 @@ Signed-off-by: Joe MacDonald policy/modules/system/logging.te | 1 + 2 files changed, 5 insertions(+) ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -1,12 +1,14 @@ - /dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh) +Index: refpolicy/policy/modules/system/logging.fc +=================================================================== +--- refpolicy.orig/policy/modules/system/logging.fc ++++ refpolicy/policy/modules/system/logging.fc +@@ -2,6 +2,7 @@ /etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) /etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0) +/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0) + /etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0) /etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh) /etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0) - /etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) -+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0) - - /usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) - /usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) - /usr/bin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) - /usr/bin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) -@@ -27,14 +29,16 @@ - /usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0) - /usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0) +@@ -30,10 +31,12 @@ /usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0) /usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0) /usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0) @@ -47,19 +40,15 @@ Signed-off-by: Joe MacDonald /usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0) /usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0) - /var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0) - /var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0) ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s - allow syslogd_t self:fifo_file rw_fifo_file_perms; - allow syslogd_t self:udp_socket create_socket_perms; +Index: refpolicy/policy/modules/system/logging.te +=================================================================== +--- refpolicy.orig/policy/modules/system/logging.te ++++ refpolicy/policy/modules/system/logging.te +@@ -396,6 +396,7 @@ allow syslogd_t self:udp_socket create_s allow syslogd_t self:tcp_socket create_stream_socket_perms; allow syslogd_t syslog_conf_t:file read_file_perms; +allow syslogd_t syslog_conf_t:lnk_file read_file_perms; + allow syslogd_t syslog_conf_t:dir list_dir_perms; # Create and bind to /dev/log or /var/run/log. - allow syslogd_t devlog_t:sock_file manage_sock_file_perms; - files_pid_filetrans(syslogd_t, devlog_t, sock_file) - init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log") diff --git a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch index 75a5fa2..4a05a2a 100644 --- a/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-git/poky-policy-add-rules-for-var-log-symlink.patch @@ -16,11 +16,11 @@ Signed-off-by: Joe MacDonald policy/modules/system/logging.te | 1 + 3 files changed, 15 insertions(+), 1 deletion(-) ---- a/policy/modules/system/logging.fc -+++ b/policy/modules/system/logging.fc -@@ -51,10 +51,11 @@ ifdef(`distro_suse', ` - - /var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) +Index: refpolicy/policy/modules/system/logging.fc +=================================================================== +--- refpolicy.orig/policy/modules/system/logging.fc ++++ refpolicy/policy/modules/system/logging.fc +@@ -53,6 +53,7 @@ ifdef(`distro_suse', ` /var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0) /var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh) @@ -28,32 +28,11 @@ Signed-off-by: Joe MacDonald /var/log/.* gen_context(system_u:object_r:var_log_t,s0) /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) - /var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) ---- a/policy/modules/system/logging.if -+++ b/policy/modules/system/logging.if -@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters' - ## - ## - # - interface(`logging_read_audit_log',` - gen_require(` -- type auditd_log_t; -+ type auditd_log_t, var_log_t; - ') - - files_search_var($1) - read_files_pattern($1, auditd_log_t, auditd_log_t) - allow $1 auditd_log_t:dir list_dir_perms; -+ allow $1 var_log_t:lnk_file read_lnk_file_perms; - ') - - ######################################## - ## - ## Execute auditctl in the auditctl domain. -@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_ - ## - # +Index: refpolicy/policy/modules/system/logging.if +=================================================================== +--- refpolicy.orig/policy/modules/system/logging.if ++++ refpolicy/policy/modules/system/logging.if +@@ -945,10 +945,12 @@ interface(`logging_append_all_inherited_ interface(`logging_read_all_logs',` gen_require(` attribute logfile; @@ -66,11 +45,7 @@ Signed-off-by: Joe MacDonald read_files_pattern($1, logfile, logfile) ') - ######################################## - ## -@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',` - # cjp: not sure why this is needed. This was added - # because of logrotate. +@@ -967,10 +969,12 @@ interface(`logging_read_all_logs',` interface(`logging_exec_all_logs',` gen_require(` attribute logfile; @@ -83,11 +58,7 @@ Signed-off-by: Joe MacDonald can_exec($1, logfile) ') - ######################################## - ## -@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',` - type var_log_t; - ') +@@ -1072,6 +1076,7 @@ interface(`logging_read_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -95,11 +66,7 @@ Signed-off-by: Joe MacDonald read_files_pattern($1, var_log_t, var_log_t) ') - ######################################## - ## -@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs', - type var_log_t; - ') +@@ -1173,6 +1178,7 @@ interface(`logging_manage_generic_logs', files_search_var($1) manage_files_pattern($1, var_log_t, var_log_t) @@ -107,13 +74,11 @@ Signed-off-by: Joe MacDonald ') ######################################## - ## - ## All of the rules required to administrate ---- a/policy/modules/system/logging.te -+++ b/policy/modules/system/logging.te -@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi - - manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) +Index: refpolicy/policy/modules/system/logging.te +=================================================================== +--- refpolicy.orig/policy/modules/system/logging.te ++++ refpolicy/policy/modules/system/logging.te +@@ -159,6 +159,7 @@ manage_files_pattern(auditd_t, auditd_lo allow auditd_t auditd_log_t:dir setattr; manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t var_log_t:dir search_dir_perms; @@ -121,5 +86,3 @@ Signed-off-by: Joe MacDonald manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) - files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file }) - diff --git a/recipes-security/refpolicy/refpolicy_git.inc b/recipes-security/refpolicy/refpolicy_git.inc index 21e3a4c..9c62da3 100644 --- a/recipes-security/refpolicy/refpolicy_git.inc +++ b/recipes-security/refpolicy/refpolicy_git.inc @@ -1,3 +1,5 @@ +PV = "2.20170805+git${SRCPV}" + SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy" SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib" -- cgit v1.2.3-54-g00ecf