From 0dbf1bdc02cdcb38b5a57fad351adeff8d12b66d Mon Sep 17 00:00:00 2001 From: Yi Zhao Date: Thu, 6 Jun 2024 14:14:34 +0800 Subject: [PATCH] refpolicy: fixes for auditctl and rsyslog * Allow auditctl to read symlink of var/log directory. * Grant getpcap capability to syslogd_t. Signed-off-by: Yi Zhao Signed-off-by: Joe MacDonald --- ...ystem-logging-fix-auditd-startup-fai.patch | 20 +++++++--- ...ystem-logging-grant-getpcap-capabili.patch | 38 +++++++++++++++++++ .../refpolicy/refpolicy_common.inc | 1 + 3 files changed, 53 insertions(+), 6 deletions(-) create mode 100644 recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch diff --git a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch index e9e717b..6ad2475 100644 --- a/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch +++ b/recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch @@ -1,4 +1,4 @@ -From d7dfe01114f9a1449ce2efd792ddf4b18fe91a45 Mon Sep 17 00:00:00 2001 +From 5b33f07f60b20eb6e07ea3f517c43a539ee21332 Mon Sep 17 00:00:00 2001 From: Xin Ouyang Date: Thu, 22 Aug 2013 13:37:23 +0800 Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures @@ -13,14 +13,22 @@ Upstream-Status: Inappropriate [embedded specific] Signed-off-by: Xin Ouyang Signed-off-by: Yi Zhao --- - policy/modules/system/logging.te | 2 ++ - 1 file changed, 2 insertions(+) + policy/modules/system/logging.te | 3 +++ + 1 file changed, 3 insertions(+) diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te -index 45584dba6..8bc70b81d 100644 +index 45584dba6..4fb2fb63c 100644 --- a/policy/modules/system/logging.te +++ b/policy/modules/system/logging.te -@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map; +@@ -117,6 +117,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv; + + read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t) + allow auditctl_t auditd_etc_t:dir list_dir_perms; ++allow auditctl_t var_log_t:lnk_file read_lnk_file_perms; + dontaudit auditctl_t auditd_etc_t:file map; + + corecmd_search_bin(auditctl_t) +@@ -177,6 +178,7 @@ dontaudit auditd_t auditd_etc_t:file map; manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t) allow auditd_t auditd_log_t:dir setattr; manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t) @@ -28,7 +36,7 @@ index 45584dba6..8bc70b81d 100644 allow auditd_t var_log_t:dir search_dir_perms; manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t) -@@ -306,6 +307,7 @@ optional_policy(` +@@ -306,6 +308,7 @@ optional_policy(` allow audisp_remote_t self:capability { setpcap setuid }; allow audisp_remote_t self:process { getcap setcap }; allow audisp_remote_t self:tcp_socket create_socket_perms; diff --git a/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch new file mode 100644 index 0000000..5c2e789 --- /dev/null +++ b/recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch @@ -0,0 +1,38 @@ +From f48edb588d799a7aab9110e4f67468d8e5e41c10 Mon Sep 17 00:00:00 2001 +From: Yi Zhao +Date: Tue, 28 May 2024 11:21:48 +0800 +Subject: [PATCH] policy/modules/system/logging: grant getpcap capability to + syslogd_t + +The rsyslog is configured with --enable-libpcap which requires getpcap +capability. + +Fixes: +avc: denied { setpcap } for pid=317 comm="rsyslogd" capability=8 +scontext=system_u:system_r:syslogd_t:s15:c0.c1023 +tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 tclass=capability +permissive=1 + +Upstream-Status: Inappropriate [embedded specific] + +Signed-off-by: Yi Zhao +--- + policy/modules/system/logging.te | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te +index 511604493..9c0a58aef 100644 +--- a/policy/modules/system/logging.te ++++ b/policy/modules/system/logging.te +@@ -404,6 +404,8 @@ optional_policy(` + # sys_admin for the integrated klog of syslog-ng and metalog + # sys_nice for rsyslog + allow syslogd_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; ++# Rsyslog configures with --enable-libcap-ng ++allow syslogd_t self:capability setpcap; + dontaudit syslogd_t self:capability { sys_ptrace }; + dontaudit syslogd_t self:cap_userns { kill sys_ptrace }; + # setpgid for metalog +-- +2.25.1 + diff --git a/recipes-security/refpolicy/refpolicy_common.inc b/recipes-security/refpolicy/refpolicy_common.inc index 000fb3c..05dca2c 100644 --- a/recipes-security/refpolicy/refpolicy_common.inc +++ b/recipes-security/refpolicy/refpolicy_common.inc @@ -72,6 +72,7 @@ SRC_URI += " \ file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \ file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \ file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \ + file://0057-policy-modules-system-logging-grant-getpcap-capabili.patch \ " S = "${WORKDIR}/refpolicy"