From 776da889b550ac9e5be414a8cc10fd86b1923264 Mon Sep 17 00:00:00 2001 From: Joe MacDonald Date: Mon, 8 Apr 2019 13:50:40 -0400 Subject: refpolicy: update to 2.20190201 and git HEAD policies Additionally, the README has fallen out of date, update it to reflect the current reality of layer dependencies. Signed-off-by: Joe MacDonald --- ...inimum-audit-logging-getty-audit-related-.patch | 68 ++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch (limited to 'recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch') diff --git a/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch new file mode 100644 index 0000000..f92ddb8 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy-2.20190201/0001-refpolicy-minimum-audit-logging-getty-audit-related-.patch @@ -0,0 +1,68 @@ +From aa79b5e7803232a4e57e2cf60613f6fb7dcfc025 Mon Sep 17 00:00:00 2001 +From: Shrikant Bobade +Date: Fri, 26 Aug 2016 17:51:44 +0530 +Subject: [PATCH 1/9] refpolicy-minimum: audit: logging: getty: audit related + allow rules + +add allow rules for audit.log file & resolve dependent avc denials. + +without this change we are getting audit avc denials mixed into bootlog & +audit other avc denials. + +audit: type=1400 audit(): avc: denied { getattr } for pid=217 comm="mount" +name="/" dev="proc" ino=1 scontext=system_u:system_r:mount_t:s0 tcontext=system_0 +audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" +path="/run/systemd/journal/dev-log" scontext=sy0 +audit: type=1400 audit(): avc: denied { sendto } for pid=310 comm="klogd" +path="/run/systemd/journal/dev-log" scontext=system_u:system_r:klogd_t:s0 +audit(): avc: denied { open } for pid=540 comm="agetty" path="/var/ +volatile/log/wtmp" dev="tmpfs" ino=9536 scontext=system_u:system_r:getty_t +:s0 tcontext=system_u:object_r:tmpfs_t:s0 tclass=file permissive=0 + +Upstream-Status: Pending + +Signed-off-by: Shrikant Bobade +Signed-off-by: Joe MacDonald +--- + policy/modules/system/getty.te | 3 +++ + policy/modules/system/logging.te | 8 ++++++++ + 2 files changed, 11 insertions(+) + +diff --git a/policy/modules/system/getty.te b/policy/modules/system/getty.te +index 6d3c4284..423db0cc 100644 +--- a/policy/modules/system/getty.te ++++ b/policy/modules/system/getty.te +@@ -129,3 +129,6 @@ optional_policy(` + optional_policy(` + udev_read_db(getty_t) + ') ++ ++allow getty_t tmpfs_t:dir search; ++allow getty_t tmpfs_t:file { open write lock }; +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 63e92a8e..8ab46925 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -249,6 +249,7 @@ allow audisp_t self:unix_stream_socket create_stream_socket_perms; + allow audisp_t self:unix_dgram_socket create_socket_perms; + + allow audisp_t auditd_t:unix_stream_socket rw_socket_perms; ++allow audisp_t initrc_t:unix_dgram_socket sendto; + + manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t) + files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file) +@@ -620,3 +621,10 @@ optional_policy(` + # log to the xconsole + xserver_rw_console(syslogd_t) + ') ++ ++ ++allow auditd_t tmpfs_t:file { getattr setattr create open read append }; ++allow auditd_t tmpfs_t:dir { open read search add_name write getattr search }; ++allow auditd_t initrc_t:unix_dgram_socket sendto; ++ ++allow klogd_t initrc_t:unix_dgram_socket sendto; +\ No newline at end of file +-- +2.19.1 + -- cgit v1.2.3-54-g00ecf