refpolicy: fixes for auditctl and rsyslog

* Allow auditctl to read symlink of var/log directory.
* Grant getpcap capability to syslogd_t.

Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: Joe MacDonald <joe.macdonald@siemens.com>

recipes-security/refpolicy/refpolicy/0031-policy-modules-system-logging-fix-auditd-startup-fai.patch

@@ -1,4 +1,4 @@
-From d7dfe01114f9a1449ce2efd792ddf4b18fe91a45 Mon Sep 17 00:00:00 2001
+From 5b33f07f60b20eb6e07ea3f517c43a539ee21332 Mon Sep 17 00:00:00 2001
 From: Xin Ouyang <Xin.Ouyang@windriver.com>
 Date: Thu, 22 Aug 2013 13:37:23 +0800
 Subject: [PATCH] policy/modules/system/logging: fix auditd startup failures
@@ -13,14 +13,22 @@ Upstream-Status: Inappropriate [embedded specific]
 Signed-off-by: Xin Ouyang <Xin.Ouyang@windriver.com>
 Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
 ---
- policy/modules/system/logging.te | 2 ++
- 1 file changed, 2 insertions(+)
+ policy/modules/system/logging.te | 3 +++
+ 1 file changed, 3 insertions(+)
 
 diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
-index 45584dba6..8bc70b81d 100644
+index 45584dba6..4fb2fb63c 100644
 --- a/policy/modules/system/logging.te
 +++ b/policy/modules/system/logging.te
-@@ -177,6 +177,7 @@ dontaudit auditd_t auditd_etc_t:file map;
+@@ -117,6 +117,7 @@ allow auditctl_t self:netlink_audit_socket nlmsg_readpriv;
+ 
+ read_files_pattern(auditctl_t, auditd_etc_t, auditd_etc_t)
+ allow auditctl_t auditd_etc_t:dir list_dir_perms;
++allow auditctl_t var_log_t:lnk_file read_lnk_file_perms;
+ dontaudit auditctl_t auditd_etc_t:file map;
+ 
+ corecmd_search_bin(auditctl_t)
+@@ -177,6 +178,7 @@ dontaudit auditd_t auditd_etc_t:file map;
  manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
  allow auditd_t auditd_log_t:dir setattr;
  manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
@@ -28,7 +36,7 @@ index 45584dba6..8bc70b81d 100644
  allow auditd_t var_log_t:dir search_dir_perms;
  
  manage_files_pattern(auditd_t, auditd_runtime_t, auditd_runtime_t)
-@@ -306,6 +307,7 @@ optional_policy(`
+@@ -306,6 +308,7 @@ optional_policy(`
  allow audisp_remote_t self:capability { setpcap setuid };
  allow audisp_remote_t self:process { getcap setcap };
  allow audisp_remote_t self:tcp_socket create_socket_perms;

recipes-security/refpolicy/refpolicy/0057-policy-modules-system-logging-grant-getpcap-capabili.patch

@@ -0,0 +1,38 @@
+From f48edb588d799a7aab9110e4f67468d8e5e41c10 Mon Sep 17 00:00:00 2001
+From: Yi Zhao <yi.zhao@windriver.com>
+Date: Tue, 28 May 2024 11:21:48 +0800
+Subject: [PATCH] policy/modules/system/logging: grant getpcap capability to
+ syslogd_t
+
+The rsyslog is configured with --enable-libpcap which requires getpcap
+capability.
+
+Fixes:
+avc: denied { setpcap } for pid=317 comm="rsyslogd" capability=8
+scontext=system_u:system_r:syslogd_t:s15:c0.c1023
+tcontext=system_u:system_r:syslogd_t:s15:c0.c1023 tclass=capability
+permissive=1
+
+Upstream-Status: Inappropriate [embedded specific]
+
+Signed-off-by: Yi Zhao <yi.zhao@windriver.com>
+---
+ policy/modules/system/logging.te | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
+index 511604493..9c0a58aef 100644
+--- a/policy/modules/system/logging.te
++++ b/policy/modules/system/logging.te
+@@ -404,6 +404,8 @@ optional_policy(`
+ # sys_admin for the integrated klog of syslog-ng and metalog
+ # sys_nice for rsyslog
+ allow syslogd_t self:capability { chown dac_override fsetid setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
++# Rsyslog configures with --enable-libcap-ng
++allow syslogd_t self:capability setpcap;
+ dontaudit syslogd_t self:capability { sys_ptrace };
+ dontaudit syslogd_t self:cap_userns { kill sys_ptrace };
+ # setpgid for metalog
+-- 
+2.25.1
+

recipes-security/refpolicy/refpolicy_common.inc

@@ -72,6 +72,7 @@ SRC_URI += " \
         file://0054-policy-modules-system-setrans-allow-setrans_t-use-fd.patch \
         file://0055-policy-modules-system-systemd-make-_systemd_t-MLS-tr.patch \
         file://0056-policy-modules-system-logging-make-syslogd_runtime_t.patch \
+        file://0057-policy-modules-system-logging-grant-getpcap-capabili.patch \
         "
 
 S = "${WORKDIR}/refpolicy"