mirror of
git://git.yoctoproject.org/meta-selinux
synced 2026-01-01 13:58:04 +00:00
refpolicy-git: Update to lastest git version
Signed-off-by: Mark Hatle <mark.hatle@windriver.com>
This commit is contained in:
Mark Hatle
parent
2c7c0e957f
commit
8bd72dfb5a
|
|
@ -15,26 +15,19 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
policy/modules/system/logging.te | 1 +
|
||||
2 files changed, 5 insertions(+)
|
||||
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -1,12 +1,14 @@
|
||||
/dev/log -s gen_context(system_u:object_r:devlog_t,mls_systemhigh)
|
||||
Index: refpolicy/policy/modules/system/logging.fc
|
||||
===================================================================
|
||||
--- refpolicy.orig/policy/modules/system/logging.fc
|
||||
+++ refpolicy/policy/modules/system/logging.fc
|
||||
@@ -2,6 +2,7 @@
|
||||
|
||||
/etc/rsyslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/syslog.conf gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
+/etc/syslog.conf\.sysklogd gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/rsyslog.d(/.*)? gen_context(system_u:object_r:syslog_conf_t,s0)
|
||||
/etc/audit(/.*)? gen_context(system_u:object_r:auditd_etc_t,mls_systemhigh)
|
||||
/etc/rc\.d/init\.d/auditd -- gen_context(system_u:object_r:auditd_initrc_exec_t,s0)
|
||||
/etc/rc\.d/init\.d/rsyslog -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
|
||||
+/etc/rc\.d/init\.d/syslog\.sysklogd -- gen_context(system_u:object_r:syslogd_initrc_exec_t,s0)
|
||||
|
||||
/usr/bin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
|
||||
/usr/bin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
|
||||
/usr/bin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
|
||||
/usr/bin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
|
||||
@@ -27,14 +29,16 @@
|
||||
/usr/sbin/audispd -- gen_context(system_u:object_r:audisp_exec_t,s0)
|
||||
/usr/sbin/audisp-remote -- gen_context(system_u:object_r:audisp_remote_exec_t,s0)
|
||||
@@ -30,10 +31,12 @@
|
||||
/usr/sbin/auditctl -- gen_context(system_u:object_r:auditctl_exec_t,s0)
|
||||
/usr/sbin/auditd -- gen_context(system_u:object_r:auditd_exec_t,s0)
|
||||
/usr/sbin/klogd -- gen_context(system_u:object_r:klogd_exec_t,s0)
|
||||
|
|
@ -47,19 +40,15 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
/usr/sbin/syslog-ng -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
/usr/sbin/syslogd -- gen_context(system_u:object_r:syslogd_exec_t,s0)
|
||||
|
||||
/var/lib/misc/syslog-ng.persist-? -- gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
/var/lib/syslog-ng(/.*)? gen_context(system_u:object_r:syslogd_var_lib_t,s0)
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -390,10 +390,11 @@ allow syslogd_t self:unix_dgram_socket s
|
||||
allow syslogd_t self:fifo_file rw_fifo_file_perms;
|
||||
allow syslogd_t self:udp_socket create_socket_perms;
|
||||
Index: refpolicy/policy/modules/system/logging.te
|
||||
===================================================================
|
||||
--- refpolicy.orig/policy/modules/system/logging.te
|
||||
+++ refpolicy/policy/modules/system/logging.te
|
||||
@@ -396,6 +396,7 @@ allow syslogd_t self:udp_socket create_s
|
||||
allow syslogd_t self:tcp_socket create_stream_socket_perms;
|
||||
|
||||
allow syslogd_t syslog_conf_t:file read_file_perms;
|
||||
+allow syslogd_t syslog_conf_t:lnk_file read_file_perms;
|
||||
allow syslogd_t syslog_conf_t:dir list_dir_perms;
|
||||
|
||||
# Create and bind to /dev/log or /var/run/log.
|
||||
allow syslogd_t devlog_t:sock_file manage_sock_file_perms;
|
||||
files_pid_filetrans(syslogd_t, devlog_t, sock_file)
|
||||
init_pid_filetrans(syslogd_t, devlog_t, sock_file, "dev-log")
|
||||
|
|
|
|||
|
|
@ -16,11 +16,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
policy/modules/system/logging.te | 1 +
|
||||
3 files changed, 15 insertions(+), 1 deletion(-)
|
||||
|
||||
--- a/policy/modules/system/logging.fc
|
||||
+++ b/policy/modules/system/logging.fc
|
||||
@@ -51,10 +51,11 @@ ifdef(`distro_suse', `
|
||||
|
||||
/var/axfrdns/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
Index: refpolicy/policy/modules/system/logging.fc
|
||||
===================================================================
|
||||
--- refpolicy.orig/policy/modules/system/logging.fc
|
||||
+++ refpolicy/policy/modules/system/logging.fc
|
||||
@@ -53,6 +53,7 @@ ifdef(`distro_suse', `
|
||||
/var/dnscache/log/main(/.*)? gen_context(system_u:object_r:var_log_t,s0)
|
||||
|
||||
/var/log -d gen_context(system_u:object_r:var_log_t,s0-mls_systemhigh)
|
||||
|
|
@ -28,32 +28,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
/var/log/.* gen_context(system_u:object_r:var_log_t,s0)
|
||||
/var/log/boot\.log -- gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/messages[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/secure[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
/var/log/maillog[^/]* gen_context(system_u:object_r:var_log_t,mls_systemhigh)
|
||||
--- a/policy/modules/system/logging.if
|
||||
+++ b/policy/modules/system/logging.if
|
||||
@@ -134,16 +134,17 @@ interface(`logging_set_audit_parameters'
|
||||
## </param>
|
||||
## <rolecap/>
|
||||
#
|
||||
interface(`logging_read_audit_log',`
|
||||
gen_require(`
|
||||
- type auditd_log_t;
|
||||
+ type auditd_log_t, var_log_t;
|
||||
')
|
||||
|
||||
files_search_var($1)
|
||||
read_files_pattern($1, auditd_log_t, auditd_log_t)
|
||||
allow $1 auditd_log_t:dir list_dir_perms;
|
||||
+ allow $1 var_log_t:lnk_file read_lnk_file_perms;
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## Execute auditctl in the auditctl domain.
|
||||
@@ -950,14 +951,16 @@ interface(`logging_append_all_inherited_
|
||||
## <rolecap/>
|
||||
#
|
||||
Index: refpolicy/policy/modules/system/logging.if
|
||||
===================================================================
|
||||
--- refpolicy.orig/policy/modules/system/logging.if
|
||||
+++ refpolicy/policy/modules/system/logging.if
|
||||
@@ -945,10 +945,12 @@ interface(`logging_append_all_inherited_
|
||||
interface(`logging_read_all_logs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
|
|
@ -66,11 +45,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
read_files_pattern($1, logfile, logfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -972,14 +975,16 @@ interface(`logging_read_all_logs',`
|
||||
# cjp: not sure why this is needed. This was added
|
||||
# because of logrotate.
|
||||
@@ -967,10 +969,12 @@ interface(`logging_read_all_logs',`
|
||||
interface(`logging_exec_all_logs',`
|
||||
gen_require(`
|
||||
attribute logfile;
|
||||
|
|
@ -83,11 +58,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
can_exec($1, logfile)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -1077,10 +1082,11 @@ interface(`logging_read_generic_logs',`
|
||||
type var_log_t;
|
||||
')
|
||||
@@ -1072,6 +1076,7 @@ interface(`logging_read_generic_logs',`
|
||||
|
||||
files_search_var($1)
|
||||
allow $1 var_log_t:dir list_dir_perms;
|
||||
|
|
@ -95,11 +66,7 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
read_files_pattern($1, var_log_t, var_log_t)
|
||||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
@@ -1159,10 +1165,11 @@ interface(`logging_manage_generic_logs',
|
||||
type var_log_t;
|
||||
')
|
||||
@@ -1173,6 +1178,7 @@ interface(`logging_manage_generic_logs',
|
||||
|
||||
files_search_var($1)
|
||||
manage_files_pattern($1, var_log_t, var_log_t)
|
||||
|
|
@ -107,13 +74,11 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
')
|
||||
|
||||
########################################
|
||||
## <summary>
|
||||
## All of the rules required to administrate
|
||||
--- a/policy/modules/system/logging.te
|
||||
+++ b/policy/modules/system/logging.te
|
||||
@@ -153,10 +153,11 @@ allow auditd_t auditd_etc_t:file read_fi
|
||||
|
||||
manage_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
Index: refpolicy/policy/modules/system/logging.te
|
||||
===================================================================
|
||||
--- refpolicy.orig/policy/modules/system/logging.te
|
||||
+++ refpolicy/policy/modules/system/logging.te
|
||||
@@ -159,6 +159,7 @@ manage_files_pattern(auditd_t, auditd_lo
|
||||
allow auditd_t auditd_log_t:dir setattr;
|
||||
manage_lnk_files_pattern(auditd_t, auditd_log_t, auditd_log_t)
|
||||
allow auditd_t var_log_t:dir search_dir_perms;
|
||||
|
|
@ -121,5 +86,3 @@ Signed-off-by: Joe MacDonald <joe_macdonald@mentor.com>
|
|||
|
||||
manage_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
||||
manage_sock_files_pattern(auditd_t, auditd_var_run_t, auditd_var_run_t)
|
||||
files_pid_filetrans(auditd_t, auditd_var_run_t, { file sock_file })
|
||||
|
||||
|
|
|
|||
|
|
@ -1,3 +1,5 @@
|
|||
PV = "2.20170805+git${SRCPV}"
|
||||
|
||||
SRC_URI = "git://github.com/TresysTechnology/refpolicy.git;protocol=git;branch=master;name=refpolicy;destsuffix=refpolicy"
|
||||
SRC_URI += "git://github.com/TresysTechnology/refpolicy-contrib.git;protocol=git;branch=master;name=refpolicy-contrib;destsuffix=refpolicy/policy/modules/contrib"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user