From a1d632a26f2d599ad6092746a60d0ccb80711aaa Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Mon, 21 Jan 2013 19:26:12 +0800 Subject: refpolicy: policy fixes for seutils and auditd_log_t Two patches to fix these two issue: * Current policy has incomplete allow rules for selinux utils to manage selinux config files and policy store. * auditd_log_t(/var/log/audit/audit.log) is also placed in var_log_t, so add related rules. CQID: WIND00396415 Signed-off-by: Xin Ouyang --- ...poky-policy-add-rules-for-var-log-symlink.patch | 76 ++++++++++++++++++---- ...ky-policy-fix-seutils-manage-config-files.patch | 39 +++++++++++ .../refpolicy/refpolicy_2.20120725.inc | 1 + 3 files changed, 104 insertions(+), 12 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch index 5bf4986..a2f3c5d 100644 --- a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-add-rules-for-var-log-symlink.patch @@ -8,8 +8,8 @@ Upstream-Status: Inappropriate [only for Poky] Signed-off-by: Xin Ouyang --- policy/modules/system/logging.fc | 1 + - policy/modules/system/logging.if | 7 +++++++ - 2 files changed, 8 insertions(+), 0 deletions(-) + policy/modules/system/logging.if | 14 +++++++++++++- + 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc index 3cb65f1..2419cd7 100644 @@ -24,10 +24,25 @@ index 3cb65f1..2419cd7 100644 /var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh) /var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh) diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if -index 321bb13..2be355e 100644 +index 321bb13..4812d46 100644 --- a/policy/modules/system/logging.if +++ b/policy/modules/system/logging.if -@@ -626,6 +626,7 @@ interface(`logging_search_logs',` +@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',` + # + interface(`logging_read_audit_log',` + gen_require(` +- type auditd_log_t; ++ type auditd_log_t, var_log_t; + ') + + files_search_var($1) + read_files_pattern($1, auditd_log_t, auditd_log_t) + allow $1 auditd_log_t:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + ') + + ######################################## +@@ -626,6 +627,7 @@ interface(`logging_search_logs',` files_search_var($1) allow $1 var_log_t:dir search_dir_perms; @@ -35,7 +50,7 @@ index 321bb13..2be355e 100644 ') ####################################### -@@ -663,6 +664,7 @@ interface(`logging_list_logs',` +@@ -663,6 +665,7 @@ interface(`logging_list_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -43,7 +58,7 @@ index 321bb13..2be355e 100644 ') ####################################### -@@ -682,6 +684,7 @@ interface(`logging_rw_generic_log_dirs',` +@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',` files_search_var($1) allow $1 var_log_t:dir rw_dir_perms; @@ -51,7 +66,33 @@ index 321bb13..2be355e 100644 ') ####################################### -@@ -843,6 +846,7 @@ interface(`logging_read_generic_logs',` +@@ -756,10 +760,12 @@ interface(`logging_append_all_logs',` + interface(`logging_read_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + read_files_pattern($1, logfile, logfile) + ') + +@@ -778,10 +784,12 @@ interface(`logging_read_all_logs',` + interface(`logging_exec_all_logs',` + gen_require(` + attribute logfile; ++ type var_log_t; + ') + + files_search_var($1) + allow $1 logfile:dir list_dir_perms; ++ allow $1 var_log_t:lnk_file read_lnk_file_perms; + can_exec($1, logfile) + ') + +@@ -843,6 +851,7 @@ interface(`logging_read_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -59,7 +100,7 @@ index 321bb13..2be355e 100644 read_files_pattern($1, var_log_t, var_log_t) ') -@@ -863,6 +867,7 @@ interface(`logging_write_generic_logs',` +@@ -863,6 +872,7 @@ interface(`logging_write_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -67,7 +108,7 @@ index 321bb13..2be355e 100644 write_files_pattern($1, var_log_t, var_log_t) ') -@@ -901,6 +906,7 @@ interface(`logging_rw_generic_logs',` +@@ -901,6 +911,7 @@ interface(`logging_rw_generic_logs',` files_search_var($1) allow $1 var_log_t:dir list_dir_perms; @@ -75,7 +116,7 @@ index 321bb13..2be355e 100644 rw_files_pattern($1, var_log_t, var_log_t) ') -@@ -923,6 +929,7 @@ interface(`logging_manage_generic_logs',` +@@ -923,6 +934,7 @@ interface(`logging_manage_generic_logs',` files_search_var($1) manage_files_pattern($1, var_log_t, var_log_t) @@ -83,6 +124,17 @@ index 321bb13..2be355e 100644 ') ######################################## +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index a3a25c2..a45c68e 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms; + manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) + allow auditd_t var_log_t:dir search_dir_perms; ++allow auditd_t var_log_t:lnk_file read_lnk_file_perms; + + manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) + manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t) -- -1.7.5.4 - +1.7.9.5 diff --git a/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch new file mode 100644 index 0000000..bd76004 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20120725/poky-policy-fix-seutils-manage-config-files.patch @@ -0,0 +1,39 @@ +Subject: [PATCH] refpolicy: fix selinux utils to manage config files + +Upstream-Status: Pending + +Signed-off-by: Xin Ouyang +--- + policy/modules/system/selinuxutil.if | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/policy/modules/system/selinuxutil.if b/policy/modules/system/selinuxutil.if +index 3822072..db03ca1 100644 +--- a/policy/modules/system/selinuxutil.if ++++ b/policy/modules/system/selinuxutil.if +@@ -680,6 +680,7 @@ interface(`seutil_manage_config',` + ') + + files_search_etc($1) ++ manage_dirs_pattern($1, selinux_config_t, selinux_config_t) + manage_files_pattern($1, selinux_config_t, selinux_config_t) + read_lnk_files_pattern($1, selinux_config_t, selinux_config_t) + ') +diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if +index e720dcd..6b6a5b3 100644 +--- a/policy/modules/system/userdomain.if ++++ b/policy/modules/system/userdomain.if +@@ -1235,6 +1235,10 @@ template(`userdom_security_admin_template',` + logging_read_audit_config($1) + + seutil_manage_bin_policy($1) ++ seutil_manage_default_contexts($1) ++ seutil_manage_file_contexts($1) ++ seutil_manage_module_store($1) ++ seutil_manage_config($1) + seutil_run_checkpolicy($1, $2) + seutil_run_loadpolicy($1, $2) + seutil_run_semanage($1, $2) +-- +1.7.9.5 + diff --git a/recipes-security/refpolicy/refpolicy_2.20120725.inc b/recipes-security/refpolicy/refpolicy_2.20120725.inc index ec8b5bf..20f4795 100644 --- a/recipes-security/refpolicy/refpolicy_2.20120725.inc +++ b/recipes-security/refpolicy/refpolicy_2.20120725.inc @@ -31,6 +31,7 @@ SRC_URI += "file://poky-policy-add-syslogd_t-to-trusted-object.patch \ # Other policy fixes SRC_URI += "file://poky-policy-fix-xconsole_device_t-as-a-dev_node.patch \ + file://poky-policy-fix-seutils-manage-config-files.patch \ file://poky-policy-fix-nfsd_t.patch \ " -- cgit v1.2.3-54-g00ecf