Subject: [PATCH] add rules for the symlink of /var/log

/var/log is a symlink in poky, so we need allow rules for files to read
lnk_file while doing search/list/delete/rw.. in /var/log/ directory.

Upstream-Status: Inappropriate [only for Poky]

Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
---
 policy/modules/system/logging.fc |    1 +
 policy/modules/system/logging.if |   14 +++++++++++++-
 2 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/logging.fc b/policy/modules/system/logging.fc
index 3cb65f1..2419cd7 100644
--- a/policy/modules/system/logging.fc
+++ b/policy/modules/system/logging.fc
@@ -41,6 +41,7 @@ ifdef(`distro_suse', `
 /var/cfengine/outputs(/.*)?	gen_context(system_u:object_r:var_log_t,s0)
 
 /var/log		-d	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
+/var/log		-l	gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
 /var/log/.*			gen_context(system_u:object_r:var_log_t,s0)
 /var/log/boot\.log	--	gen_context(system_u:object_r:var_log_t,mls_systemhigh)
 /var/log/messages[^/]*		gen_context(system_u:object_r:var_log_t,mls_systemhigh)
diff --git a/policy/modules/system/logging.if b/policy/modules/system/logging.if
index 321bb13..4812d46 100644
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -136,12 +136,13 @@ interface(`logging_set_audit_parameters',`
 #
 interface(`logging_read_audit_log',`
 	gen_require(`
-		type auditd_log_t;
+		type auditd_log_t, var_log_t;
 	')
 
 	files_search_var($1)
 	read_files_pattern($1, auditd_log_t, auditd_log_t)
 	allow $1 auditd_log_t:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
@@ -626,6 +627,7 @@ interface(`logging_search_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir search_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 #######################################
@@ -663,6 +665,7 @@ interface(`logging_list_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 #######################################
@@ -682,6 +685,7 @@ interface(`logging_rw_generic_log_dirs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir rw_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 #######################################
@@ -756,10 +760,12 @@ interface(`logging_append_all_logs',`
 interface(`logging_read_all_logs',`
 	gen_require(`
 		attribute logfile;
+		type var_log_t;
 	')
 
 	files_search_var($1)
 	allow $1 logfile:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 	read_files_pattern($1, logfile, logfile)
 ')
 
@@ -778,10 +784,12 @@ interface(`logging_read_all_logs',`
 interface(`logging_exec_all_logs',`
 	gen_require(`
 		attribute logfile;
+		type var_log_t;
 	')
 
 	files_search_var($1)
 	allow $1 logfile:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 	can_exec($1, logfile)
 ')
 
@@ -843,6 +851,7 @@ interface(`logging_read_generic_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 	read_files_pattern($1, var_log_t, var_log_t)
 ')
 
@@ -863,6 +872,7 @@ interface(`logging_write_generic_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 	write_files_pattern($1, var_log_t, var_log_t)
 ')
 
@@ -901,6 +911,7 @@ interface(`logging_rw_generic_logs',`
 
 	files_search_var($1)
 	allow $1 var_log_t:dir list_dir_perms;
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 	rw_files_pattern($1, var_log_t, var_log_t)
 ')
 
@@ -923,6 +934,7 @@ interface(`logging_manage_generic_logs',`
 
 	files_search_var($1)
 	manage_files_pattern($1, var_log_t, var_log_t)
+	allow $1 var_log_t:lnk_file read_lnk_file_perms;
 ')
 
 ########################################
diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index a3a25c2..a45c68e 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -139,6 +139,7 @@ allow auditd_t auditd_etc_t:file read_file_perms;
 manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
 allow auditd_t var_log_t:dir search_dir_perms;
+allow auditd_t var_log_t:lnk_file read_lnk_file_perms;
 
 manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
 manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
-- 
1.7.9.5